Date: Thu, 25 Apr 2002 14:20:09 -0400 From: "Moti" <moti@flncs.com> To: "SecLists" <lists@secure.stargate.net>, <freebsd-security@freebsd.org> Subject: Re: bind9 in a chroot ? Message-ID: <022001c1ec86$42f99430$fd6e34c6@mlevy> References: <000401c1ec80$ac5c8c80$465d4018@zeus> <1019758146.9372.23.camel@interrogation.ws.pitdc1.stargate.net>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "SecLists" <lists@secure.stargate.net> To: "Mike Roest" <bsd-lists@blahz.ab.ca> Cc: "'Moti'" <moti@flncs.com>; <freebsd-security@freebsd.org> Sent: Thursday, April 25, 2002 2:09 PM Subject: RE: bind9 in a chroot ? > You can use lsof to view all open files used by named... if you do that > you will see that it is not actually chrooted at all... using the same > option with bind9 built from source on OpenBSD, and chrooted into > /var/named by the -t option: > > (root@doberman) ~ # lsof | grep named > named 18211 named cwd VDIR 0,20 512 1140352 /var > (/dev/wd1e) > named 18211 named rtd VDIR 0,20 512 1140352 /var > (/dev/wd1e) > named 18211 named txt VREG 0,19 5892042 719229 /usr > (/dev/wd1d) > named 18211 named txt VREG 0,19 61440 1374538 > /usr/libexec/ld.so > named 18211 named txt VREG 0,20 6429 1163022 > /var/run/ld.so.hints > named 18211 named txt VREG 0,19 594040 1669247 > /usr/lib/libc.so.26.2 > > You can see that the process is actually accessing files in /usr and > /var that are outside of the chroot jail... > i did not get this part -> ----------------------------------------------------------------- > To do it better than this: > http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html ------------------------------------------------------------------ what do you mean to do this better than this ? do you have a better way or is this the btter way ? > > thanks, > shawn > > On Thu, 2002-04-25 at 13:43, Mike Roest wrote: > > Yep it is running in the chroot. The -t /etc/chroot shows that. I > > think that's the only real way to tell > > > > --Mike > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti > > Sent: Thursday, April 25, 2002 9:55 AM > > To: freebsd-security@freebsd.org > > Subject: bind9 in a chroot ? > > > > > > o.k > > i followed the instructions and i'm quite sure i have it all right ( dns > > working and all ) > > question is : how do i verify that my bind is really running chrooted ? > > will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 ?? > > Ss > > 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c > > /etc/namedb/named.conf -t > > /etc/chroot > > be enough ? > > Moti > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?022001c1ec86$42f99430$fd6e34c6>