RE: bind9 in a chroot ?
From: SecLists (lists@secure.stargate.net)
Date: 04/25/02
- Next message: Moti: "Re: bind9 in a chroot ?"
- Previous message: VB: "Re: patching holes Hmmmm"
- In reply to: Mike Roest: "RE: bind9 in a chroot ?"
- Next in thread: Moti: "Re: bind9 in a chroot ?"
- Reply: Moti: "Re: bind9 in a chroot ?"
- Reply: Mark.Andrews@isc.org: "Re: bind9 in a chroot ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: SecLists <lists@secure.stargate.net> To: Mike Roest <bsd-lists@blahz.ab.ca> Date: 25 Apr 2002 14:09:06 -0400
You can use lsof to view all open files used by named... if you do that
you will see that it is not actually chrooted at all... using the same
option with bind9 built from source on OpenBSD, and chrooted into
/var/named by the -t option:
(root@doberman) ~ # lsof | grep named
named 18211 named cwd VDIR 0,20 512 1140352 /var
(/dev/wd1e)
named 18211 named rtd VDIR 0,20 512 1140352 /var
(/dev/wd1e)
named 18211 named txt VREG 0,19 5892042 719229 /usr
(/dev/wd1d)
named 18211 named txt VREG 0,19 61440 1374538
/usr/libexec/ld.so
named 18211 named txt VREG 0,20 6429 1163022
/var/run/ld.so.hints
named 18211 named txt VREG 0,19 594040 1669247
/usr/lib/libc.so.26.2
You can see that the process is actually accessing files in /usr and
/var that are outside of the chroot jail...
To do it better than this:
http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html
thanks,
shawn
On Thu, 2002-04-25 at 13:43, Mike Roest wrote:
> Yep it is running in the chroot. The -t /etc/chroot shows that. I
> think that's the only real way to tell
>
> --Mike
>
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti
> Sent: Thursday, April 25, 2002 9:55 AM
> To: freebsd-security@freebsd.org
> Subject: bind9 in a chroot ?
>
>
> o.k
> i followed the instructions and i'm quite sure i have it all right ( dns
> working and all )
> question is : how do i verify that my bind is really running chrooted ?
> will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 ??
> Ss
> 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c
> /etc/namedb/named.conf -t
> /etc/chroot
> be enough ?
> Moti
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Moti: "Re: bind9 in a chroot ?"
- Previous message: VB: "Re: patching holes Hmmmm"
- In reply to: Mike Roest: "RE: bind9 in a chroot ?"
- Next in thread: Moti: "Re: bind9 in a chroot ?"
- Reply: Moti: "Re: bind9 in a chroot ?"
- Reply: Mark.Andrews@isc.org: "Re: bind9 in a chroot ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
