[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named
Silvio Knizek
killermoehre at gmx.net
Mon Jul 3 21:21:22 UTC 2023
Hi Marc,
why is it suggested to run `named` within its own chroot? For security reasons? This can be achieved much easier with systemd native options.
Something like
`/etc/systemd/system/named.service`
```ini
[Unit]
Description=Internet domain name server
After=network.target
[Service]
Type=notify
User=named
DynamicUser=true
ExecStart=/usr/bin/named -f -c /etc/named/named.conf
ExecReload=/usr/bin/kill -HUP $MAINPID
NoExecPaths=/
ExecPaths=/usr/bin/named /usr/bin/kill
AmbientCapabilities=CAP_NET_BIND_SERVICE
ProtectSystem=full
ProtectHome=yes
RuntimeDirectory=%p
StateDirectory=%p
CacheDirectory=%p
LogsDirectory=%p
ConfigurationDirectory=%p
[Install]
WantedBy=multi-user.target
```
Make sure `directory` in `/etc/named/named.conf` points to `/var/lib/named`.
Further security considerations may apply. Testing is necessary.
BR
Silvio
More information about the systemd-devel
mailing list