Re: chroot and BIND

From: Heather Flanagan (hlf00@earthlink.net)
Date: 10/18/01


Message-ID: <20011018201142.17217.qmail@earthlink.net>
From: "Heather Flanagan" <hlf00@earthlink.net>
To: focus-sun@securityfocus.com
Date: Thu, 18 Oct 2001 16:11:42 -0400
Subject: Re: chroot and BIND


> I had this happen to me a few months ago. What was happening was the
> chroot jail was not completely configured with respect to local time. When
> this happens, the chroot'd version of bind uses GMT time instead of local
> time which looks really strange in syslog. In my case the chroot'd
> /etc/TIMEZONE file was correct, but I discovered that the chroot jail
> version of /usr/share/lib/zoneinfo directory was empty. I copied the
> contents of /usr/share/lib/zoneinfo to the chroot jail version of
> /usr/share/lib/zoneinfo directory and the time stamps were written
> correctly.
>

Sure enough, that fixed it - many many thanks! The server itself is out in California, I'm on the other side of the country, in North Carolina.

Would there be any security ramifications to having a copy of the entire /usr/share/lib/zoneinfo in the chroot jail? I'm honestly not sure which one(s) I'd need to keep.

-heather f.

-- 



Relevant Pages

  • Re: chroot and BIND
    ... Subject: chroot and BIND ... >> chroot jail was not completely configured with respect to local time. ... geographical area its worth considering setting system time to GMT and letting ...
    (Focus-SUN)
  • Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind
    ... >>> Why not make it default in the base system? ... > "bind" and in a chroot jail as the default? ... as user flags it would be trivial to have it the defaultt. ... run bind in a sandbox at this point, ...
    (FreeBSD-Security)
  • Re: chroot and BIND
    ... Subject: chroot and BIND ... On Tue, 23 Oct 2001, Joseph Tam wrote: ... > How, incidentally, are people constructing their chroot jail to run ...
    (Focus-SUN)
  • Re: DNS recommendations
    ... >> Bind can run as user within a chroot jail with no problems. ... It really amazes me how this DNS server, ... > But if I really had to set up a DNS server, I would still go with djbdns ...
    (comp.os.linux.security)
  • Re: DNS recommendations
    ... >> Bind can run as user within a chroot jail with no problems. ... >> some kernel patch like grsecurity to limit what processes can do under ...
    (comp.os.linux.security)