Re: Bind-Mount in ein chroot mit systemd
On Sun, 29 Oct 2023 08:18:14 +0100, Paul Muster
<exp-311223@news.muster.net> wrote:
>On 28.10.23 13:02, Marc Haber wrote:
>
>> |ExecStart=/usr/sbin/named -f -u bind -c /etc/bind/named.conf -t /var/local/ch>
>
>> |BindReadOnlyPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/noti>
>
>> |SystemCallFilter=~@mount @swap @resources @reboot @privileged @obsolete @modu>
>
>Da war an ein paar Stellen das Terminal zu schmal, oder?
Oh ja natürlich. Ich bitte um Entschuldigung.
|[2/4996]mh@torres:~ $ sudo systemctl cat bind9 | cat
|# /lib/systemd/system/named.service
|[Unit]
|Description=BIND Domain Name Server
|Documentation=man:named(8)
|After=network.target
|Wants=nss-lookup.target
|Before=nss-lookup.target
|
|[Service]
|Type=notify
|EnvironmentFile=-/etc/default/named
|ExecStart=/usr/sbin/named -f $OPTIONS
|ExecReload=/usr/sbin/rndc reload
|ExecStop=/usr/sbin/rndc stop
|Restart=on-failure
|
|[Install]
|WantedBy=multi-user.target
|Alias=bind9.service
|
|# /etc/systemd/system/named.service.d/options.conf
|# this file is managed by ansible
|
|# this puts bind into a chroot (which is done on all Debian systems)
|
|[Service]
|ExecStart=
|ExecStart=/usr/sbin/named -f -u bind -c /etc/bind/named.conf -t /var/local/chroot/bind
|
|
|# /etc/systemd/system/named.service.d/order.conf
|# this file is managed by ansible
|
|# this forced bind to start after the network
|
|[Unit]
|After=network-online.target
|Wants=network-online.target
|
|
|# /etc/systemd/system/named.service.d/restart.conf
|# this file is managed by ansible
|
|# this makes bind restart after a failure
|
|[Unit]
|StartLimitIntervalSec=90s
|StartLimitBurst=5
|
|[Service]
|Restart=on-failure
|RestartSec=5s
|
|# /etc/systemd/system/named.service.d/security.conf
|# this file is managed by ansible
|
|# this reduces bind's exposure to local security risks
|# this is only done on bookworm and newer
|
|[Service]
|WorkingDirectory=/var/local/chroot/bind
|# this will end up in a "too many symlinks" message.
|#RootDirectory=/
|ProtectProc=invisible
|ProcSubset=pid
|BindReadOnlyPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/notify
|BindReadOnlyPaths=/usr/share/dns:/var/local/chroot/bind/usr/share/dns
|User=bind
|Group=bind
|UMask=077
|CapabilityBoundingSet=cap_net_admin cap_net_bind_service cap_sys_chroot
|AmbientCapabilities= cap_net_admin cap_net_bind_service cap_sys_chroot
|NoNewPrivileges=true
|#not explicitly set: works automatically.
|#AppArmorProfile
|ProtectSystem=strict
|ProtectHome=yes
|# {Runtime,Cache,Configuration}Directory cannot be used
|# because our bind chroots itself and those directives only
|# create directories under the standard paths.
|#RuntimeDirectory=bind
|ReadWritePaths=/var/local/chroot/bind/run
|#CacheDirectory=bind
|ReadWritePaths=/var/local/chroot/bind/var/cache/bind
|#ConfigurationDirectory=bind
|ReadOnlyPaths=/
|InaccessiblePaths=-/lost+found
|NoExecPaths=/
|# /lib is necessary here, or execve will fail without indication for reason
|ExecPaths=/usr/sbin/named /usr/sbin/rndc /lib
|PrivateTmp=true
|PrivateDevices=true
|PrivateIPC=true
|# enabling PrivateUsers=true causes
|# "couldn't add command channel 127.0.0.1#953: permission denied"
|ProtectHostname=true
|ProtectClock=true
|ProtectKernelTunables=true
|ProtectKernelModules=true
|ProtectKernelLogs=true
|ProtectControlGroups=true
|RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6
|RestrictNamespaces=~user pid net uts mnt cgroup ipc
|LockPersonality=true
|MemoryDenyWriteExecute=true
|RestrictRealtime=true
|RestrictSUIDSGID=true
|RemoveIPC=true
|SystemCallFilter=~@mount @swap @resources @reboot @privileged @obsolete @module @debug @cpu-emulation @clock
|SystemCallFilter=chroot setuid
|SystemCallArchitectures=native
|[3/4997]mh@torres:~ $
Grüße
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: