Date: 25 Apr 2002 14:46:42 -0400 From: Shawn Duffy <pakkit@codepiranha.org> To: Moti <moti@flncs.com> Cc: SecLists <lists@secure.stargate.net>, freebsd-security@freebsd.org Subject: Re: bind9 in a chroot ? Message-ID: <1019760403.8333.1.camel@pitbull.codepiranha.org> In-Reply-To: <022001c1ec86$42f99430$fd6e34c6@mlevy> References: <000401c1ec80$ac5c8c80$465d4018@zeus> <1019758146.9372.23.camel@interrogation.ws.pitdc1.stargate.net> <022001c1ec86$42f99430$fd6e34c6@mlevy>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-9qx1fO3SFYjcBPKDBMMW Content-Type: text/plain Content-Transfer-Encoding: quoted-printable (emailing from a different account) Yes, what I meant to say was that the link provided a better way to chroot dns... thanks, shawn On Thu, 2002-04-25 at 14:20, Moti wrote: >=20 > ----- Original Message ----- > From: "SecLists" <lists@secure.stargate.net> > To: "Mike Roest" <bsd-lists@blahz.ab.ca> > Cc: "'Moti'" <moti@flncs.com>; <freebsd-security@freebsd.org> > Sent: Thursday, April 25, 2002 2:09 PM > Subject: RE: bind9 in a chroot ? >=20 >=20 > > You can use lsof to view all open files used by named... if you do that > > you will see that it is not actually chrooted at all... using the same > > option with bind9 built from source on OpenBSD, and chrooted into > > /var/named by the -t option: > > > > (root@doberman) ~ # lsof | grep named > > named 18211 named cwd VDIR 0,20 512 1140352 /va= r > > (/dev/wd1e) > > named 18211 named rtd VDIR 0,20 512 1140352 /va= r > > (/dev/wd1e) > > named 18211 named txt VREG 0,19 5892042 719229 /us= r > > (/dev/wd1d) > > named 18211 named txt VREG 0,19 61440 1374538 > > /usr/libexec/ld.so > > named 18211 named txt VREG 0,20 6429 1163022 > > /var/run/ld.so.hints > > named 18211 named txt VREG 0,19 594040 1669247 > > /usr/lib/libc.so.26.2 > > > > You can see that the process is actually accessing files in /usr and > > /var that are outside of the chroot jail... > > > i did not get this part -> > ----------------------------------------------------------------- > > To do it better than this: > > http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html > ------------------------------------------------------------------ > what do you mean to do this better than this ? > do you have a better way or is this the btter way ? >=20 > > > > thanks, > > shawn > > > > On Thu, 2002-04-25 at 13:43, Mike Roest wrote: > > > Yep it is running in the chroot. The -t /etc/chroot shows that. I > > > think that's the only real way to tell > > > > > > --Mike > > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti > > > Sent: Thursday, April 25, 2002 9:55 AM > > > To: freebsd-security@freebsd.org > > > Subject: bind9 in a chroot ? > > > > > > > > > o.k > > > i followed the instructions and i'm quite sure i have it all right ( = dns > > > working and all ) > > > question is : how do i verify that my bind is really running chrooted= ? > > > will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 = ?? > > > Ss > > > 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c > > > /etc/namedb/named.conf -t > > > /etc/chroot > > > be enough ? > > > Moti > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 email: pakkit at codepiranha dot org web: http://codepiranha.org/~pakkit pgp key: getkey-pakkit@codepiranha.org pgp: 8988 6FB6 3CFE FE6D 548E 98FB CCE9 6CA9 98FC 665A --=-9qx1fO3SFYjcBPKDBMMW Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA8yE8SzOlsqZj8ZloRApgcAJ9V9QRcF3B3V9mlE+IdRUxYX40iQQCgoHCI Hw/RLHbn49ze+n4Ebd2868w= =uL1g -----END PGP SIGNATURE----- --=-9qx1fO3SFYjcBPKDBMMW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1019760403.8333.1.camel>