On Mon, May 16, 2016 at 08:51:41PM -0400, Paul Kosinski wrote: > I have avoided the problem chroot causes in a fairly general fashion by > using "mount --bind". For example: > > /bin/mount --bind /lib /chroot/dns/lib > > will make the entire /lib directory available to the chrooted BIND, > assuming the path /chroot/dns is created beforehand to serve as the > chroot base for running BIND.
This is a wrong and dangerous "fix" since it exposes the parent system's /lib to the chroot. Preventing this exposure is the reason for chroot in the first place. > I have heard that chroot does not provide unbreakable isolation, and, > of course, many extra files are made available to the chrooted process > compared to copying the minimum number of individual files. This is much worse than copying the minimum number of individual files since it allows the chrooted root account to _directly_ _change_ the files of the parent system. You can run unchrooted without much more danger. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users