[Dnssec-trigger] unbound in chroot

Paul Wouters pwouters at redhat.com
Fri Jun 27 16:10:17 UTC 2014


On 06/27/2014 03:28 AM, Petr Spacek wrote:

>>> One glithc though, if I set chroot="/var/lib/unbound" in
>>> /etc/unbound/unbound.conf, the unbound service fails to start citing
>>> missing
>>> configuration files error. IMO, it'd be better to start unbound service
>>> under chroot(2) jail by default.
>>
>> I think this is expected since the configuration is not present in the
>> chroot.
>> Although we could provide a new systemd service file
>> unbound-chroot.service,
>> like we do for BIND. It would prepare the chroot before starting
>> (bind-mount
>> all necessary configuration files into the chroot), start unbound in
>> chroot
>> and when stopping, unmount all files from the chroot.
>>
>> It would be better for this purpose if unbound could take the chroot
>> dir as
>> a command line argument. But we can drop a config file into
>> /etc/unbound/conf.d/
>> when starting unbound and then remove it when stopping unbound.
>>
>> What do you think?
> 
> Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not
> entirely sure that it adds more than false sense of security...

When I started packaging unbound, there were lots of chroot() issues and
it just made sense to rely on selinux and not chroot. I don't think
chroot offers anything over selinux, but it comes with a set of problems
dealing with reloading, signaling and maintaining a chroot.

Paul






More information about the dnssec-trigger mailing list