[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named

Silvio Knizek killermoehre at gmx.net
Mon Jul 3 21:21:22 UTC 2023


Hi Marc,

why is it suggested to run `named` within its own chroot? For security reasons? This can be achieved much easier with systemd native options.

Something like

`/etc/systemd/system/named.service`

```ini
[Unit]
Description=Internet domain name server
After=network.target

[Service]
Type=notify
User=named
DynamicUser=true
ExecStart=/usr/bin/named -f -c /etc/named/named.conf
ExecReload=/usr/bin/kill -HUP $MAINPID
NoExecPaths=/
ExecPaths=/usr/bin/named /usr/bin/kill
AmbientCapabilities=CAP_NET_BIND_SERVICE
ProtectSystem=full
ProtectHome=yes
RuntimeDirectory=%p
StateDirectory=%p
CacheDirectory=%p
LogsDirectory=%p
ConfigurationDirectory=%p

[Install]
WantedBy=multi-user.target
```

Make sure `directory` in `/etc/named/named.conf` points to `/var/lib/named`.

Further security considerations may apply. Testing is necessary.

BR  
Silvio


More information about the systemd-devel mailing list