From security document: "This will create a chrooted environment in /chroot. Now all we have to do is modify the init script for supporting the new environment. Edit /etc/init.d/named and add -t /chroot/dns to the start function. You may also want to change the stop function to point to the correct pid file in /chroot/var/run/named/named.pid. Restart your DNS server." Note the "Edit /etc/init.d/named and add -t /chroot/dns to the start function." While I haven't implemented this yet, looking through the start-stop-function manpage, "-t" is to test an action but take no action. Unless I misinterpret, the author may have meant "-r" for "Chdir and chroot to root before starting the process." Reproducible: Always Steps to Reproduce:
The option we pass is for named (bind), not for start-stop-function. The option for bind to have it chroot itself is "-t". If we were passing a chroot-request to start-stop-function, it would first chroot itself and then try to start bind (named). However, since the bind (named) binary isn't inside the chroot, it would fail. And even if the binaries were inside the chroot, we would need to have all libraries inside the chroot too.