Report information
The Basics
Id:
41966
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
feature
Attachments
28_prechroot_init.diff
Dates
Created:Thu, 17 Mar 2016 20:06:19 -0400
Updated:Wed, 02 Aug 2017 17:52:26 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 17 Mar 2016 20:06:19 -0400 LaMont Jones <lamont@mmjgroup.com> - Ticket created
Subject: openssl init needs to be before chroot
Date: Thu, 17 Mar 2016 18:06:13 -0600
To: bind-bugs@isc.org
From: "LaMont Jones" <lamont@mmjgroup.com>

Because openssl init may load additional libraries, it should be done before the chroot. patch attached. lamont
28_prechroot_init.diff

Message body is not shown because sender requested not to inline it.

  Fri, 18 Mar 2016 10:20:39 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Fri Mar 18 00:06:19 2016, lamont@mmjgroup.com wrote: > Because openssl init may load additional libraries, it should be done > before the chroot. => IMHO bind should be configured without gost (this was done a long time ago the first time someone raised this issue) or OpenSSL configured with static engines (using DSOs is a bad idea) as it is explained for WIN32.
Fri, 18 Mar 2016 10:20:41 -0400 The RT System itself - Status changed from 'new' to 'open'
Wed, 23 Mar 2016 12:10:20 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
Wed, 23 Mar 2016 12:10:20 -0400 Stephen Morris <stephen@isc.org> - Severity S2 Normal added
Wed, 23 Mar 2016 12:10:21 -0400 Stephen Morris <stephen@isc.org> - Area feature added
Wed, 23 Mar 2016 12:10:21 -0400 Stephen Morris <stephen@isc.org> - Component BIND Server added
  Tue, 12 Apr 2016 04:50:24 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Fri Mar 18 00:06:19 2016, lamont@mmjgroup.com wrote: > Because openssl init may load additional libraries, it should be done > before the chroot. => there are many (better) things to try: - first simply install correctly OpenSSL in the chroot'ed environment so with its dependencies. I know it is hard to get everything which can be needed in chroot. Now today a virtual machine or a container provide a better isolation... - second it is a good idea to built OpenSSL with static (i.e., statically linked) engines (cf win32utils/build.txt). Unfortunately the OpenSSL Configure bound this feature to the shared/static library switch on Linux. - third you can simply configure bind without the GOST support (i.e., --without-gost) as GOST is used only in Russia for a few zones. (according to http://secspider.verisignlabs.com/stats.html there are 90 GOST keys in the whole DNS). - finally there is a new bind --enable-late-chroot configure option being considered (ticket #40655). It solves another problem (interface discovery at startup which requires a /proc/net in the chroot'ed environment) but should work well for you. Note the last point shows it is a better idea to move the chroot() call later than to move the crypto init itself.
Tue, 25 Jul 2017 12:27:38 -0400 Vicky Risk <vicky@isc.org> - Subject changed from 'openssl init needs to be before chroot' to '[PATCH] openssl init needs to be before chroot'
Tue, 25 Jul 2017 12:27:38 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Wed, 02 Aug 2017 17:52:26 -0400 Vicky Risk <vicky@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>