From owner-freebsd-security  Thu Apr 25 11:42:37 2002
Delivered-To: freebsd-security@freebsd.org
Received: from doberman.codepiranha.org (doberman.codepiranha.org [216.151.95.145])
	by hub.freebsd.org (Postfix) with SMTP id 727A337B400
	for <freebsd-security@freebsd.org>; Thu, 25 Apr 2002 11:42:27 -0700 (PDT)
Received: (qmail 313 invoked from network); 25 Apr 2002 19:44:01 -0000
Received: from pitbull.codepiranha.org (208.40.169.145)
  by doberman.codepiranha.org with SMTP; 25 Apr 2002 19:44:01 -0000
Subject: Re: bind9 in a chroot ?
From: Shawn Duffy <pakkit@codepiranha.org>
To: Moti <moti@flncs.com>
Cc: SecLists <lists@secure.stargate.net>,
	freebsd-security@freebsd.org
In-Reply-To: <022001c1ec86$42f99430$fd6e34c6@mlevy>
References: <000401c1ec80$ac5c8c80$465d4018@zeus>
	<1019758146.9372.23.camel@interrogation.ws.pitdc1.stargate.net> 
	<022001c1ec86$42f99430$fd6e34c6@mlevy>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
	boundary="=-9qx1fO3SFYjcBPKDBMMW"
X-Mailer: Ximian Evolution 1.0.4.99 
Date: 25 Apr 2002 14:46:42 -0400
Message-Id: <1019760403.8333.1.camel@pitbull.codepiranha.org>
Mime-Version: 1.0
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--=-9qx1fO3SFYjcBPKDBMMW
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

(emailing from a different account)

Yes, what I meant to say was that the link provided a better way to
chroot dns...

thanks,
shawn

On Thu, 2002-04-25 at 14:20, Moti wrote:
>=20
> ----- Original Message -----
> From: "SecLists" <lists@secure.stargate.net>
> To: "Mike Roest" <bsd-lists@blahz.ab.ca>
> Cc: "'Moti'" <moti@flncs.com>; <freebsd-security@freebsd.org>
> Sent: Thursday, April 25, 2002 2:09 PM
> Subject: RE: bind9 in a chroot ?
>=20
>=20
> > You can use lsof to view all open files used by named... if you do that
> > you will see that it is not actually chrooted at all... using the same
> > option with bind9 built from source on OpenBSD, and chrooted into
> > /var/named by the -t option:
> >
> > (root@doberman) ~ # lsof | grep named
> > named     18211     named  cwd   VDIR       0,20        512 1140352 /va=
r
> > (/dev/wd1e)
> > named     18211     named  rtd   VDIR       0,20        512 1140352 /va=
r
> > (/dev/wd1e)
> > named     18211     named  txt   VREG       0,19    5892042  719229 /us=
r
> > (/dev/wd1d)
> > named     18211     named  txt   VREG       0,19      61440 1374538
> > /usr/libexec/ld.so
> > named     18211     named  txt   VREG       0,20       6429 1163022
> > /var/run/ld.so.hints
> > named     18211     named  txt   VREG       0,19     594040 1669247
> > /usr/lib/libc.so.26.2
> >
> > You can see that the process is actually accessing files in /usr and
> > /var that are outside of the chroot jail...
> >
> i did not get this part ->
> -----------------------------------------------------------------
> > To do it better than this:
> > http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html
> ------------------------------------------------------------------
> what do you mean to do this better than this ?
> do you have a better way or is this the btter way ?
>=20
> >
> > thanks,
> > shawn
> >
> > On Thu, 2002-04-25 at 13:43, Mike Roest wrote:
> > > Yep it is running in the chroot.  The -t /etc/chroot shows that.  I
> > > think that's the only real way to tell
> > >
> > > --Mike
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-security@FreeBSD.ORG
> > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti
> > > Sent: Thursday, April 25, 2002 9:55 AM
> > > To: freebsd-security@freebsd.org
> > > Subject: bind9 in a chroot ?
> > >
> > >
> > > o.k
> > > i followed the instructions and i'm quite sure i have it all right ( =
dns
> > > working and all )
> > > question is : how do i verify that my bind is really running chrooted=
 ?
> > > will ps -auxw |grep named output -> bind    170  0.0  2.1  3228 2604 =
 ??
> > > Ss
> > > 11:52AM   0:00.12 /usr/local/sbin/named -u bind -c
> > > /etc/namedb/named.conf -t
> > > /etc/chroot
> > > be enough ?
> > > Moti
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >
> >
> >
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--=20
email: pakkit at codepiranha dot org
web: http://codepiranha.org/~pakkit
pgp key: getkey-pakkit@codepiranha.org
pgp: 8988 6FB6 3CFE FE6D 548E  98FB CCE9 6CA9 98FC 665A

--=-9qx1fO3SFYjcBPKDBMMW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA8yE8SzOlsqZj8ZloRApgcAJ9V9QRcF3B3V9mlE+IdRUxYX40iQQCgoHCI
Hw/RLHbn49ze+n4Ebd2868w=
=uL1g
-----END PGP SIGNATURE-----

--=-9qx1fO3SFYjcBPKDBMMW--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message