From 20a23b5c3b1274024350dbba0e96c3022f8ff6b9 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Tue, 9 Nov 2021 15:02:23 +0100 Subject: [PATCH] improve chroot text --- docs/security.rst | 7 ++++++- docs/settings.rst | 6 ++++-- pdns/recursordist/docs/settings.rst | 3 ++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index fb1aba32ef..ac3b7cddac 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -25,6 +25,11 @@ Set these parameters immediately if they are not set! Jailing the process in a chroot ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Modern Linux distributions, with systemd for process management, do a better job of constraining PowerDNS than chroot can. +We strongly suggest using distribution/OS features for process containment instead of the :ref:`setting-chroot` option. +The text below is kept for those users that have specific reasons to prefer chroot. +chroot functionality is not actively tested during development and might break during upgrades. + The :ref:`setting-chroot` option secures PowerDNS to its own directory so that even if it should become compromised and under control of external influences, it will have a hard time affecting the rest of the system. Even though this will hamper hackers a lot, chroot jails have been known to be broken. @@ -34,7 +39,7 @@ Even though this will hamper hackers a lot, chroot jails have been known to be b socket which should live within the chroot. It is often possible to hardlink such a socket into the chroot dir. -When running with master or slave support, be aware that many operating +When running with primary or secondary support, be aware that many operating systems need access to specific libraries (often ``/lib/libnss*``) in order to support resolution of domain names! You can also hardlink these. diff --git a/docs/settings.rst b/docs/settings.rst index 308a505d95..9060dfe4d7 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -253,6 +253,8 @@ You may specify an alternate port by appending :port, ex: - Path If set, chroot to this directory for more security. See :doc:`security`. +This is not recommended; instead, we recommend containing PowerDNS using operating system features. +We ship systemd unit files with our packages to make this easy. Make sure that ``/dev/log`` is available from within the chroot. Logging will silently fail over time otherwise (on logrotate). @@ -263,9 +265,9 @@ set in the configuration are relative to the new root. When running on a system where systemd manages services, ``chroot`` does not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``. -Either don't ``chroot`` on these systems or set the 'Type' of the this +Either don't ``chroot`` on these systems or set the 'Type' of the service to 'simple' instead of 'notify' (refer to the systemd -documentation on how to modify unit-files) +documentation on how to modify unit-files). .. _setting-config-dir: diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index d14c27dafa..125d247691 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -210,7 +210,8 @@ See :doc:`metrics`. - Path to a Directory If set, chroot to this directory for more security. -See :doc:`security` +This is not recommended; instead, we recommend containing PowerDNS using operating system features. +We ship systemd unit files with our packages to make this easy. Make sure that ``/dev/log`` is available from within the chroot. Logging will silently fail over time otherwise (on logrotate). -- 2.47.2