Re: bind9 in a chroot ?
From: Shawn Duffy (pakkit@codepiranha.org)
Date: 04/25/02
- Next message: ANdrei: "apache"
- Previous message: Moti: "Re: bind9 in a chroot ?"
- In reply to: Moti: "Re: bind9 in a chroot ?"
- Next in thread: Mark.Andrews@isc.org: "Re: bind9 in a chroot ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Shawn Duffy <pakkit@codepiranha.org> To: Moti <moti@flncs.com> Date: 25 Apr 2002 14:46:42 -0400
(emailing from a different account)
Yes, what I meant to say was that the link provided a better way to
chroot dns...
thanks,
shawn
On Thu, 2002-04-25 at 14:20, Moti wrote:
>
> ----- Original Message -----
> From: "SecLists" <lists@secure.stargate.net>
> To: "Mike Roest" <bsd-lists@blahz.ab.ca>
> Cc: "'Moti'" <moti@flncs.com>; <freebsd-security@freebsd.org>
> Sent: Thursday, April 25, 2002 2:09 PM
> Subject: RE: bind9 in a chroot ?
>
>
> > You can use lsof to view all open files used by named... if you do that
> > you will see that it is not actually chrooted at all... using the same
> > option with bind9 built from source on OpenBSD, and chrooted into
> > /var/named by the -t option:
> >
> > (root@doberman) ~ # lsof | grep named
> > named 18211 named cwd VDIR 0,20 512 1140352 /var
> > (/dev/wd1e)
> > named 18211 named rtd VDIR 0,20 512 1140352 /var
> > (/dev/wd1e)
> > named 18211 named txt VREG 0,19 5892042 719229 /usr
> > (/dev/wd1d)
> > named 18211 named txt VREG 0,19 61440 1374538
> > /usr/libexec/ld.so
> > named 18211 named txt VREG 0,20 6429 1163022
> > /var/run/ld.so.hints
> > named 18211 named txt VREG 0,19 594040 1669247
> > /usr/lib/libc.so.26.2
> >
> > You can see that the process is actually accessing files in /usr and
> > /var that are outside of the chroot jail...
> >
> i did not get this part ->
> -----------------------------------------------------------------
> > To do it better than this:
> > http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html
> ------------------------------------------------------------------
> what do you mean to do this better than this ?
> do you have a better way or is this the btter way ?
>
> >
> > thanks,
> > shawn
> >
> > On Thu, 2002-04-25 at 13:43, Mike Roest wrote:
> > > Yep it is running in the chroot. The -t /etc/chroot shows that. I
> > > think that's the only real way to tell
> > >
> > > --Mike
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-security@FreeBSD.ORG
> > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti
> > > Sent: Thursday, April 25, 2002 9:55 AM
> > > To: freebsd-security@freebsd.org
> > > Subject: bind9 in a chroot ?
> > >
> > >
> > > o.k
> > > i followed the instructions and i'm quite sure i have it all right ( dns
> > > working and all )
> > > question is : how do i verify that my bind is really running chrooted ?
> > > will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 ??
> > > Ss
> > > 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c
> > > /etc/namedb/named.conf -t
> > > /etc/chroot
> > > be enough ?
> > > Moti
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >
> >
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- email: pakkit at codepiranha dot org web: http://codepiranha.org/~pakkit pgp key: getkey-pakkit@codepiranha.org pgp: 8988 6FB6 3CFE FE6D 548E 98FB CCE9 6CA9 98FC 665A
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: This is a digitally signed message part
- Next message: ANdrei: "apache"
- Previous message: Moti: "Re: bind9 in a chroot ?"
- In reply to: Moti: "Re: bind9 in a chroot ?"
- Next in thread: Mark.Andrews@isc.org: "Re: bind9 in a chroot ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
