Please install bind9 in a chroot

Bug #127184 reported by PatRiehecky on 2007-07-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)

Bug Description

Binary package hint: bind9

Bind doesn't have the best track record for security and doesn't really access anything outside of itself. Is there any chance for getting it to install into a chroot environment?

Steps to make this possible:
vi /etc/default/bind9 and change OPTIONS to
 OPTIONS="-u bind -t /var/spool/bind9"

mkdir -p /var/spool/bind9/etc
mkdir /var/spool/bind9/dev
mkdir -p /var/spool/bind9/var/cache/bind
mkdir -p /var/spool/bind9/var/run/bind/run

mv /etc/bind /var/spool/bind9/etc
ln -s /var/spool/bind9/etc/bind /etc/bind

mknod /var/spool/bind9/dev/null c 1 3
mknod /var/spool/bind9/dev/random c 1 8
chmod 666 /var/spool/bind9/dev/null /var/spool/bind9/dev/random
chown -R bind:bind /var/spool/bind9/var/*
chown -R bind:bind /var/spool/bind9/etc/bind

You also need to make a small change to syslog (this is the tricky bit for automating....)
vi /etc/init.d/sysklogd and change SYSLOGD to
SYSLOGD="-u syslog -a /var/lib/named/dev/log"

Mathias Gug (mathiaz) on 2007-07-20
Changed in bind9:
importance: Undecided → Wishlist
status: New → Triaged
LaMont Jones (lamont) wrote :

Unfortunately, if bind9 were to modify /etc/init.d/sysklogd, that would violate policy. We need to have sysklogd export an interface for making the change.

Thomas Hood (jdthood) on 2012-04-18
summary: - Installing bind9 in a chroot
+ Please install bind9 in a chroot

Note in reference to "doesn't really access anything outside of itself": it was mentioned in bug 975973 that e.g. samba bind integration would need it to be not in a chroot. So there is at least some configuration needed to make it able to be either in chroot or not.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers