[BlueOnyx:18838] Re: named-chroot on 5209R

Michael Stauber mstauber at blueonyx.it
Fri Dec 18 09:11:50 -05 2015 

Hi Tom,

FWIW: I found out why Bind only started working again after you copied
the zone files from the chroot zone file directory to the normal zone
file directory.

The RedHat guys did something really strange: The unit file (the systemd
startup script) for named-chroot now has a test in it. That test calls a
binary and tells it to verify if the zone files and DNS config in
general are valid.

That looks like this:

------------------------
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ];
then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking
of zone files is disabled"; fi'

ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS
------------------------

The problem starts right there:

/usr/sbin/named-checkconf -z /etc/named.conf

Because /etc/named.conf has this in it:

   directory "/var/named";

So guess where it looks for the zone files? Of course in the un-jailed
directory and not inside the jail! So if named.conf has any zones
listed, then named-checkconf will not see them and declares the config
as invalid. Result: named-chroot will not start.

This check in the unit file for named-chroot doesn't make any sense at
all if it's not run inside the jail as well.

So I just published an updated base-dns for 5209R which tests the unit
file and removes that check if it is present. That should fix this issue
for good.

> Supposedly the chroot was to prevent some security issues in older 
> version.  The question I've had for a long time is whether or not 
> *needing* to put it into a chroot jail is still valid.

Is the jail is really needed? Probably not anymore. There hasn't been a
serious privilege escalation issue in Bind in quite a while. It used to
be quite notoriously bad in that regards a long time ago and got a
really shabby reputation just because of it.

But let me put it this way: Better safe than sorry. The jail is usually
hassle free and easy. It doesn't complicate things unless upstream
messes something up like this time around. So I rather have Bind in a
jail than to risk anything.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list