Hey guys, I think we should improve the chroot handling in bind. I'll attach some patches (my first idea) so they might need some further improvements. So I hope you like my idea :)
Created attachment 195947 [details, diff] bind.patch Ebuild patch, based on bind-9.4.3_p2.
Created attachment 195948 [details, diff] init.patch init-script patch.
Has been included in bind-9.6.1.
I had previously updated to bind 9.6 using some of my own local ebuilds. Now that 9.6.1* is in portage, I switched to using the ebuild that contains this patch. Although I haven't tested the new init script, it seems to me like it may break old configurations that have all of the bind configuration inside the chroot gaol. When I get the chance, I'll try it out on a non-production machine. Also, is there really a need to mount /proc in the chroot? I do not think I have seen it done or that it is necessary. As such, doesn't mounting /proc possibly leak all sorts of information about the system into the jail? In any case, I think there should be much stronger warnings about the new configuration. Also, it may be a good idea to have some sort of flag to retain the old behaviour.
(In reply to comment #4) > Also, is there really a need to mount /proc in the chroot? I do not think I > have seen it done or that it is necessary. As such, doesn't mounting /proc > possibly leak all sorts of information about the system into the jail? <snip> echo "none ${CHROOT}/proc proc defaults 0 0" >>/etc/fstab mkdir ${CHROOT}/proc mount -t proc none ${CHROOT}/proc </snip> Thats from a older bind ebuild, it will be executed during pkg_config. My aim was to get a _clean_ chroot-dir after stopping bind. So the only difference here is that we mount it each time again. AFAIR it was/is necessary, at least some stuff. I'll take a look at it again asap. > > In any case, I think there should be much stronger warnings about the new > configuration. Also, it may be a good idea to have some sort of flag to retain > the old behaviour. > Hm, if you take a look at the new and a old version of the ebuild you'll see that everything will be mounted instead of cp or mount once at boot or once at pkg_config. With the new initscript you're able to change something in /etc/bind and it will be loaded after rndc reload. The old: you'd have to cp the changed files into the chroot-dir and reload then. IMHO its not more or less secure than the old behaviour. Further suggestions are welcome so feel free :)
(In reply to comment #5) > (In reply to comment #4) > > Also, is there really a need to mount /proc in the chroot? I do not think I > > have seen it done or that it is necessary. As such, doesn't mounting /proc > > possibly leak all sorts of information about the system into the jail? > <snip> > echo "none ${CHROOT}/proc proc defaults 0 0" >>/etc/fstab > mkdir ${CHROOT}/proc > mount -t proc none ${CHROOT}/proc > </snip> The above echo >>/etc/fstab must be (somewhat) new as I have been running bind on Gentoo for years and don't have this entry. I don't mount proc inside the chroot and have never noticed any shortcomings. bind-mounting /etc/bind inside the chroot wasn't compatible with my configuration without a lot of housekeeping. I doubt many people edited config in /etc/bind and then cp to /chroot/dns/etc, rather they just edited in /chroot/dns/etc so the new scripts may not work asis for a large number of users. I'm running the 9.6.x ebuilds for the statistics channel and things like a working max-cache setting (cache will grow in 9.4.x until memory is exhausted).
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > Also, is there really a need to mount /proc in the chroot? I do not think I > > > have seen it done or that it is necessary. As such, doesn't mounting /proc > > > possibly leak all sorts of information about the system into the jail? > > <snip> > > echo "none ${CHROOT}/proc proc defaults 0 0" >>/etc/fstab > > mkdir ${CHROOT}/proc > > mount -t proc none ${CHROOT}/proc > > </snip> > > The above echo >>/etc/fstab must be (somewhat) new as I have been running bind > on Gentoo for years and don't have this entry. I don't mount proc inside the > chroot and have never noticed any shortcomings. > I can confirm that mounting proc is not necessary, I tested it on my own server without any issues. I removed the proc mount from the init-script. > bind-mounting /etc/bind inside the chroot wasn't compatible with my > configuration without a lot of housekeeping. I doubt many people edited config > in /etc/bind and then cp to /chroot/dns/etc, rather they just edited in > /chroot/dns/etc so the new scripts may not work asis for a large number of > users. > I'll try to get much more informations about all that so I'll change the init-script and chroot config part again as soon as possible. This page http://www.cymru.com/Documents/secure-bind-template.html and the links there seems to be very interesting. Maybe we can include some stuff.
