Hi Marc, why is it suggested to run `named` within its own chroot? For security reasons? This can be achieved much easier with systemd native options. Something like `/etc/systemd/system/named.service` ```ini [Unit] Description=Internet domain name server After=network.target [Service] Type=notify User=named DynamicUser=true ExecStart=/usr/bin/named -f -c /etc/named/named.conf ExecReload=/usr/bin/kill -HUP $MAINPID NoExecPaths=/ ExecPaths=/usr/bin/named /usr/bin/kill AmbientCapabilities=CAP_NET_BIND_SERVICE ProtectSystem=full ProtectHome=yes RuntimeDirectory=%p StateDirectory=%p CacheDirectory=%p LogsDirectory=%p ConfigurationDirectory=%p [Install] WantedBy=multi-user.target ``` Make sure `directory` in `/etc/named/named.conf` points to `/var/lib/named`. Further security considerations may apply. Testing is necessary. BR Silvio
Re: bind-mount of /run/systemd for chrooted bind9/named
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Silvio Knizek <killermoehre@xxxxxxx>
- Date: Mon, 03 Jul 2023 23:21:22 +0200
- In-reply-to: <ZKMY2hHcA3CBVw6p@torres.zugschlus.de>
- References: <ZKMY2hHcA3CBVw6p@torres.zugschlus.de>
- Ui-outboundreport: notjunk:1;M01:P0:sYqdtjIePP0=;tj8h5syIZdfBCmnvGDThhBsOf/n XeA+1m+HGJfWBCBDC+lLmoXKCkTvHa5HRyT/r/MjsctyZj/NQXKV/5Xfro2oU1t1vKB7z0eHj jca5W2d6y7NLRx7sEUunlxgscZ0oUVLR0zKILl23uOUnptfLHoWlOvoZ3Ljgd/AAjRbwAZCPd ZbdHvEU51ysCObRXQcEZ2aCRXX2dN+16JDOz47n97zbXi1ZDqThznVWUkvNllO96ZpZT/9FNR 4HcFaoojLzMK66J0Uzs1aWViCi8ZvAg++nYGfSolGXTOqF9pKSbvUIofdHDMo8LgSKtpG+JEN 6qAVGlI0G5L2ffJHmJK+zZzK2j1WQCudq/28CVxpiO5ZEKHf8dP2YQp2URAaQE0YttUdIQkBo mi7jDhnmv7E8J80ZjFhEnLpxFrzHZ7Loyp+pkp0t8yS3r/auTXdJPoEWFTtnfsgH+kTZZLQKK 7MwWzj7eOGlJqPNE1w31Gcg7jCjvIcv4sS0Z2jlIMZydA/g9ZRWdKu5qCQbqaYIl3hP4VqSOx Otgi5e3BKhg0n0V/tZCSNAyNdSCrMJTT96kdaNxAadZQwy8Ir9fsbfihVM5a7TsmmJqGKpXji SCeO/6EhlzdXG7IXj4iQUJhrJAFCw/gAlSfYKRaPbHbFASEXvVTCzYu7Ukk+jq4VIqfBqqE+4 2IQDna7JkJWwNsa8vbHcHNJjmaxnd6SzAVd6NCLf5UvnH+idGSZooTk/nbvBaoB12hIxGnF/t YjNf9AImCrWLuN+wzUfOjEJULmvyc4jb/vbtiFUzaIzw5FSOvh3By1Cc+/PJz3XgQKHUDaZSz ta8BVW3131DhYZh+l6eSxcG0LAFQr4MM6vKJ7+Cj2WTpiWiNFe5rIRWRAq++yYwm9QDshUXrv JCysxwCatW/Alkz3eQjd0LfC8XCt/Dwt6q99V9cav+qvJX8LfTJO2K/TAYOQGAJGo8KucIjzj Inkm/w==
- User-agent: Evolution 3.48.3
- Follow-Ups:
- Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Marc Haber
- Re: bind-mount of /run/systemd for chrooted bind9/named
- References:
- bind-mount of /run/systemd for chrooted bind9/named
- From: Marc Haber
- bind-mount of /run/systemd for chrooted bind9/named
- Prev by Date: bind-mount of /run/systemd for chrooted bind9/named
- Next by Date: Re: bind-mount of /run/systemd for chrooted bind9/named
- Previous by thread: bind-mount of /run/systemd for chrooted bind9/named
- Next by thread: Re: bind-mount of /run/systemd for chrooted bind9/named
- Index(es):
 |