chroot implementation of bind and kea
Dries Michiels
driesmp at hotmail.com
Mon Nov 13 20:14:13 UTC 2017
Dear net mailing list,
At the moment BINDS’s default chroot behavior is to move all necessary files to a directory specified in rc.conf as named_chrootdir.
Afterwards the RC script creates a symlink from /usr/local/etc/namedb/ to the named_chrootdir so that config files etc can still be modified from /usr/local/etc/ as that is where they belong.
However, I find the chroot implementation of isc-dhcpd better. That is, instead of creating a symlink, copying the files over each time the program is (re)started.
This has the additional benefit that if files in the chroot are compromised they get overwritten by the originals on service restart. Could this be implemented for BIND as well?
Another little question regarding chroot, is it possible to make net/kea chrootable? There are currently no such options in the kea rc script.
With regards,
Dries
More information about the freebsd-net
mailing list