Bind chroot configuration

[Toffee]

Hello.

I've got few questions about bind chroot configuration.

Many tutorials explane that we must create an entire directory structure in the chroot directory. It means that libraries and binaries of Bind are present in the chroot directory. Many others indicate that CHROOT_DIR/dev, CHROOT_DIR/etc and CHROOT_DIR/var are sufficient and so, libraries and binaries aren't in the chroot directory.


What is the difference between these two configurations? What is the best configuration in term of security?

Thanks a lot for your response.

[falko]

I think that those are two different approaches. E.g., in this howto http://www.howtoforge.com/howto_bind_chroot_debian we don't need all the libraries etc. in the chroot jail because we tell Bind's init script to run Bind chrooted (by putting

Code:

OPTIONS="-u bind -t /var/lib/named"

into /etc/default/bind9). I think it's a lot easier than putting all the libraries etc. into the chroot jail...

[public_domain]

OPTIONS="-u bind -t /var/lib/named"
/etc/default/bind9
(as it is, no .../named and no ../bind9)
TYIA

[falko]

Quote:

Originally Posted by public_domain

OPTIONS="-u bind -t /var/lib/named"
/etc/default/bind9
(as it is, no .../named and no ../bind9)
TYIA

What is the question?

[public_domain]

does this reference [OPTIONS="-u bind -t /var/lib/named"] point to a directory that is supposed to be there real or symlink?

[falko]

-u bind means the user bind. /var/lib/named is a directory and must exist. BIND will run chrooted in that directory.

[Deem3n®]

There is no matter how to use BIND in chroot.

Take a look to this guide. In that example BIND is running at /chroot/named directory