BIND wans to read ephemeral port ranges to use for outgoing queries. We
have such special quirks bind-mounted into bind chroot. But without
SELinux-like protection that might not be needed.
Consider read-binding /proc/sys/net/ipv4/ip_local_port_range into chroot.
We have also /etc/rndc.{conf,k
On Tue, 18 Jul 2023 at 10:42:49 +0200, Marc Haber wrote:
> That would be /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 on my
> system (only output of find /lib /usr/lib -name 'ld-lin*'), and adding
> that to ExecPaths doesnt allow my Executable to run. So it must be
> something else (possibly in a
On Tue, Jul 18, 2023 at 01:10:16AM +0300, Mantas Mikulėnas wrote:
> On Mon, Jul 17, 2023, 15:44 Marc Haber
> wrote:
> > # /lib is necessary here, or execve will fail without indication for
> > # reason - that was a surprise and hard to debug because even strace
> > # didnt hint me towards the real
On Mon, Jul 17, 2023, 15:44 Marc Haber
wrote:
>
> # /lib is necessary here, or execve will fail without indication for
> # reason - that was a surprise and hard to debug because even strace
> # didnt hint me towards the real issue
> ExecPaths=/usr/sbin/named /usr/sbin/rndc /lib
>
This one in par
Hi,
I'm back. This is my first try at doing a decent systemd unit for bind 9
/ named chrooted with named's own features, making the chroot minimal
and code-free.
Here we go (this has been merged from various plug-in/overrides files, I
don't guarantee correct syntax). I have interspersed my
commen
