Re: Problems chrooting BIND 9.2.2 in a Solaris 8 box

From: Ricardo J. Ulisses Filho (ricardoj_at_hotlink.com.br)
Date: 03/13/04

  • Next message: Chris Ess: "Re: Problems chrooting BIND 9.2.2 in a Solaris 8 box"
    To: GARCIA CABALLERO Jordi <Jordi.GARCIA@oami.eu.int>, security-basics@securityfocus.com, focus-sun@securityfocus.com
    Date: Sat, 13 Mar 2004 14:08:03 -0300
    
    

    Hi,

    It appears that named is trying to look for its hosts files into /dns/etc,
    since this should be the specified directory in named.conf.
    Probably this directory (/export/home/dns/dns/etc) does not exist.

    Have you tried to do the chroot directly from named, by its -t flag?
    AFAIK, Bind 9.2.2 provides the ability to chroot itself, after it processes
    all the command line arguments, with the -t flag.

    Instead of
    # /usr/sbin/chroot /export/home/dns /usr/local/sbin/named -u named

    Try
    # /usr/local/sbin/named -u named -t /export/home/dns

    Cheers,

    -- 
    Ricardo J. Ulisses Filho
    _____________________________
    rico@hotlink.com.br
    Systems Administrator
    HOTlink Internet
    On Thursday 11 March 2004 15:02, GARCIA CABALLERO Jordi wrote:
    > Hi,
    >
    > Chrooting BIND 9.2.2 in a Solaris 8 02/2002 box, I get this weird error
    > when running named in the jail:
    >
    > # /usr/sbin/chroot /export/home/dns /usr/local/sbin/named -u named
    >
    > What I see from the console
    >
    > Mar 11 18:26:15 oasv020 named[11788]: /etc/named.conf:16: change directory
    > to '/dns/etc' failed: file not found
    > Mar 11 18:26:15 oasv020 named[11788]: /etc/named.conf:16: parsing failed
    > Mar 11 18:26:15 oasv020 named[11788]: loading configuration: file not found
    > Mar 11 18:26:15 oasv020 named[11788]: exiting (due to fatal error)
    >
    > It is like chroot command does not work properly since it tries to access
    > the /etc chrooted directory that really points to /export/home/dns/etc
    > directory.
    >
    > It is not the first time that I have chrooted the BIND service. A couple of
    > years ago, I chrooted BIND 8.2.2-P5 on a Solaris 8 box, following this
    > document from Sean Boran and I did not get any problem.
    >
    > http://www.securityfocus.com/archive/attachment/66802/2/
    >
    > Any ideas ?
    >
    > Regards,
    >
    > > Jordi Garcia
    > > Unix LSA - Office * AE4/1A-1.053
    > >
    > > OFFICE FOR HARMONIZATION IN THE INTERNAL MARKET
    > > Information Technologies and Facilities Department
    > >  Production and Telecommunication  Service
    > > Servers, Databases and Applications Sector
    > >
    > > Avenida de Europa, 4 - AC 77 - E-03080 Alicante - SPAIN
    > >
    > > * +34 965 139 777
    > > * +34 965 139 614
    > > *  +34 629 284 187 (5777)
    > > *  Jordi.GARCIA@oami.eu.int
    

  • Next message: Chris Ess: "Re: Problems chrooting BIND 9.2.2 in a Solaris 8 box"

    Relevant Pages

    • Re: BIND chroot environment in 10-RELEASE...gone?
      ... to take away the supported chroot capabilities. ... I have no issues with removing BIND from base, ... ports, so that people who need to run a full-blown BIND installation can ... I think we have all the tools available, so it is probably just a matter ...
      (freebsd-stable)
    • Re: F11 update issue
      ... you may need to check both the chroot and non-chroot config ... had a couple of problems and errors after the last update of BIND on ... around (localhost zones) and reset some file and directory ... using the default F11 BIND names for legacy reasons. ...
      (Fedora)
    • Re: Ronning named in chroot env
      ... You can keep the number of libs that you need to put in the chroot down by ... If you are using the ports collection to build bind, ... > In case someone is interested in running named in chrooted environment on ... > FreeBSD, below is my experience how this can be done. ...
      (FreeBSD-Security)
    • Re: BIND chroot environment in 10-RELEASE...gone?
      ... Is it not simple because the original chroot environment was wonky or is ... it not simple because there's a desire to banish all remnants of BIND to ... ports being described in the other thread can be the ones that can ... And I do use jails, including vnet/vimage jails, mainly to separate ...
      (freebsd-stable)
    • Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind
      ... >:as user flags it would be trivial to have it the defaultt. ... > not be able to rebind its sockets), you can only restart it, and ... I'm not sure how bind handles restarts, but even if it execs over ... A shell script could copy the required shared libs into the chroot ...
      (FreeBSD-Security)