[Linux-disciples] chrooting bind9
Stephen R Laniel
steve at laniels.org
Wed Nov 16 10:10:49 EST 2005
On Mon, Nov 14, 2005 at 05:43:13PM -0500, Adam Rosi-Kessel wrote:
> apt-get depends on a lot of stuff. I suppose the above might work, but I
> think you'd be getting pretty close to having a full fledged Debian
> installation inside the jail, once you have have apt-get, dpkg, etc.. I
> don't think this is how people do it, although I may not have the most
> convincing argument as to why they don't do it that way.
I now have bind running in a chroot jail (without going
through the apt-get craziness that I was contemplating), but
one thing puzzles me a little: the named executable itself is
not in the jail; it's still in /usr/sbin/named . My sense is
that bind starts, sees that the command-line argument (-t
pathname) orders it to run in a jail, and does so. But I'm
not totally clear how: I know that Apache will spawn
subprocesses for each client request, so I can understand
that each of those subprocesses would have their own idea of
root. But if named is running as one process, how does it
force itself to run 100% jailed?
Also, if anyone understand why bind uses rndc, I'd love to
hear. rndc communicates with bind through a TCP socket,
whereas earlier versions (called just 'ndc', I believe)
could also use a UNIX-domain socket. You control named
through rndc. What advantage does this give over just
controlling bind directly? Among other things, rndc adds a
tiny little bit of complexity, because you need to set the
permissions appropriately on the directory that will contain
the socket.
Maybe rndc is valuable so that you can control many
domain-name servers on many remote machines from a single
controller? But then, wouldn't Apache get some value out of
an arrangement like that? So why isn't Apache using it?
--
Stephen R. Laniel
steve at laniels.org
+(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20051116/fc34ed80/attachment.pgp
More information about the Linux-disciples
mailing list