Re: Using BIND in a chroot enviro?

To: debian-security@lists.debian.org
Subject: Re: Using BIND in a chroot enviro?
From: Stefan Srdic <linuxbox@telusplanet.net>
Date: Mon, 02 Jul 2001 22:38:20 -0600
Message-id: <[🔎] 3B414C3C.88F2CD9A@telusplanet.net>
References: <[🔎] 3B3FA4B3.9558B57B@telusplanet.net>

Well, I got it all to work, even loging :-D

BIND is ran under user and group named, and restrained into a chroot jail.

My directory structure looks like:

*the file permissions are also configured according to the
Chroot-BIND-HOWTO

root@NodeFilter:/# du -a /chroot
0       /chroot/named/dev/log
0       /chroot/named/dev/null
1       /chroot/named/dev
4       /chroot/named/etc/bind/db.0
4       /chroot/named/etc/bind/db.local
4       /chroot/named/etc/bind/db.127
4       /chroot/named/etc/bind/db.255
4       /chroot/named/etc/bind/db.root
21      /chroot/named/etc/bind
4       /chroot/named/etc/group
4       /chroot/named/etc/named.conf
4       /chroot/named/etc/localtime
33      /chroot/named/etc
92      /chroot/named/lib/ld-2.2.3.so
1100    /chroot/named/lib/libc-2.2.3.so
0       /chroot/named/lib/ld-linux.so.2
0       /chroot/named/lib/libc.so.6
1193    /chroot/named/lib
0       /chroot/named/var/run/ndc
4       /chroot/named/var/run/named.pid
5       /chroot/named/var/run
4       /chroot/named/var/cache/bind/named_dump.db
5       /chroot/named/var/cache/bind
5       /chroot/named/var/cache
10      /chroot/named/var
2300    /chroot/named/usr/sbin/named
2301    /chroot/named/usr/sbin
2301    /chroot/named/usr
3538    /chroot/named
3538    /chroot


However, I did have to downgrade to BIND 8.2.4. I did so because I needed
to compile a statically linked version of the named binary. (BIND 9's
source is different and I had no docs to follow on it)

I got a few questions about my chroot'ed DNS setup. I basically followed
the instructions on the Psionic Software web site and the
Chroot-BIND-How-to. However, I noticed two differences between the
documents.

1. Psionic's doc recomends that you compile a statically linked named
binary and then copy it into your chroot tree while the Chroot-BIND-Howto
recomends that you compile and install BIND directly into your chroot tree.

2. the Chroot-BIND-Howto recomends that you create a /chroot/named/lib
directory and copy your systems C libraries into it so that BIND can access
them.

My questions are, what's the difference between a normal compilation and a
statically linked one?

Why would you place the C libraries into your chroot tree?

I'm no newbie to Linux, but I'm no expert when it comes to sysadmin tasks
and software compilation (Dam that apt daemon!!)  I would appreciate it if
some of you guru's could give me a little detail on these subjects.

Thanks

Stef

BTW, I edited named.conf and commented out the query source port statement,
I'm going to have to edit my IPtables script to match this new behavior in
my BIND daemon. -> thanks for the tip(s) :-D

Reply to:

Follow-Ups:
- Re: Using BIND in a chroot enviro?
  - From: maney@pobox.com (Martin Maney)

References:
- Re: Using BIND in a chroot enviro?
  - From: Stefan Srdic <linuxbox@telusplanet.net>

Prev by Date: Re: Re[2]: Wierd file name?
Next by Date: Re: Using BIND in a chroot enviro?
Previous by thread: Re: Using BIND in a chroot enviro?
Next by thread: Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread