Symbolic links and chroot BIND9

synne · 05-08-2012, 11:40 PM

I have some software with a web gui back end to manage some DNS zones. Ive installed BIND manually and would like to keep it chrooted if possible.

zones are created in:

Code:

/var/named/chroot/var/named/zones

The web application auto writes the zone config in named.conf and creates the zone file in the folder above.

zone in named.conf

Code:

zone "example.com" IN {
	type master;
	file "/var/named/chroot/zones/example.com.txt";
	allow-transfer { any; };
};

That is the correct location in the root file system, but not within the named chroot. To resolve this I created a symbolic link:

ls -l /var/named/chroot/var/named

Code:

lrwxrwxrwx. 1 root root   17 May  9 00:32 chroot -> /var/named/chroot
drwxrwxrwx. 2 root root 4096 May  8 21:51 data
drwxrwxrwx. 2 root root 4096 May  8 21:51 zones

Doing so resolves named's file not found failure but throws up a 'invalid file'
Which only occurs when going through a symbolic link.

Permissions appear appropriate on folders and files, manually adjusting named.conf avoiding the symbolic link - named starts right up.

Since creating hard links is not permitted, is there any way to resolve this (while still in chroot) without having to adjust the core of this software I use? Id rather adjust my system to work with these paths so further work isnt necessary with each updates to the software.

MensaWater · 05-09-2012, 07:34 AM

In chroot everything is seeing the chroot directory as "/". Your zone files and named.conf should NOT mention /var/named/chroot at all - they should all be relative to what is BENEATH that as if it were "/". That is to say if your zone files are in /var/named/chroot/var/named (as they are on RHEL/CENTOS when you use their BIND Chroot packages) then your named.conf should simply show "/var/named/<zonefile>" for the zone file path and NOT "/var/named/chroot/var/named/<zonefile>". Even though the latter is where you see the files when logged in as any other user it is the former where the chroot'ed user sees the files.

For this reason a symbolic link within the chroot doesn't go where you think.

That is to say when logged in as a non-chrooted user your symbolic link appears to be:
/var/named/chroot/var/named/chroot -> /var/named/chroot
So you think it is pointing back to the "real" /var/named/chroot". However since the chroot'ed user can't see the "real" root or anything above the "real" /var/named/chroot it thinks you're making a symbolic link back to itself so in "real" terms it can be thought of as:
/var/named/chroot/var/named/chroot ->/var/named/chroot/var/named/chroot
But to the chroot it is simply:
/var/named/chroot ->/var/named/chroot

What you need to do is adjust your web software if it is NOT running as the chroot'ed user so it knows the "real" paths rather than the chroot'ed paths so that when it decides to update files it is updating things under /var/named/chroot/etc (for named.conf) and /var/named/chroot/var/named (for zone files) rather than using defaults of just "/etc" and "/var/named". Alternatively you could try to work out how to make the web software run as the chrooted environment but that might require you to copy many more things into the chroot to get it running.