Results 1 to 3 of 3

Thread: BIND and CHROOT question

  1. #1

    BIND and CHROOT question

    Hi everyone!
    I installed fresh copy of SLES 11SP2x64AMD and I am wonder if BIND daemon is CHROOT'ed as default?
    From what I see in the folder /var/lib/named/ few catalogs are set with named:named user
    and /etc/group contain named:!:44 user, but my concern is if it require some tweak to make it secure or it is already prepared/chroot'ed and it is ready to use?
    Last edited by malcolmlewis; 22-Jun-2012 at 21:36. Reason: User request

  2. #2

    Re: BIND and CHROOT question

    I Think I found the answer with previous version
    http://www.pcc-services.com/sles/dns2.html
    SLES10, for security reasons, will run the DNS Server in a "chroot jail" that is located at /var/lib/named - this is done in case any security breaches to the DNS server will only result in the DNS Service to be attacked. You can adjust this behavior with the "/etc/sysconf Editor" Yast Module located in the "System" category. Here you can adjust the following DNS options:

    NAMED_RUN_CHROOTED - Allows you to disable running the DNS Server within a chroot jail

    NAMED_ARGS - Additional options you can add when starting the DNS Server.

    NAMED_CONF_INCLUDE_FILES - Any additional files you may need have copied to the chroot jail when named is started.

    NAMED_INITIALIZE_SCRIPTS - Any scripts that you want to be ran when the DNS Server is (re)Started can be listed here.

  3. #3
    cjcox NNTP User

    Re: BIND and CHROOT question

    On 06/22/2012 02:24 PM, MTerlik wrote:
    >
    > Hi everyone!
    > I installed fresh copy of SLES 11SP2x64AMD and I am wonder if BIND
    > daemon (9.6-ESV-R5-P1) is CHROOT'ed as default?
    > From what I see in the folder /var/lib/named/ few catalogs are set with
    > named:named user
    > and /etc/group contain named:!:44 user, but my concern is if it require
    > some tweak to make it secure or it is already prepared/chroot'ed and it
    > is ready to use?
    >
    >


    The directories that named:named in /var/lib/named are set that way because they
    could receive dynamic updates (e.g. the dyn directory).. as you mentioned, it
    runs chrooted as the user named.. so the perms are open in areas where named
    needs to write.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •