Re: questions about chrooting bind 8.3.3
Hi1
Please try not to wrap long lines in command output.
On Tuesday, 2002-10-29 at 23:35:42 +0100, J.J. van Gorkum wrote:
> Hi, I have a question about chrooting bind 8.3.3
> I have used the setup as described in
> http://people.debian.org/~pzn/howto/chroot-bind.sh.txt ... but when I
> then start bind evrything looks right but when I do a lsof -p <pid of
> named> I see:
> command to start bind:
> start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g
> named -t /var/lib/chroot/named/
> # lsof -p 22119
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> named 22119 named cwd DIR 8,22 4096 145479 /var/lib/chroot/named/var/cache/bind
> named 22119 named rtd DIR 8,22 4096 145467 /var/lib/chroot/named
> named 22119 named txt REG 8,6 512088 130880 /usr/sbin/named
> named 22119 named mem REG 8,5 82503 30185 /lib/ld-2.2.5.so
> named 22119 named mem REG 8,5 1145456 30223 /lib/libc-2.2.5.so
> named 22119 named mem REG 8,5 32664 30232 /lib/libnss_files-2.2.5.so
> named 22119 named 0u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 22119 named 1u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 22119 named 2u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 22119 named 3u unix 0xe1086560 5375674 socket
> named 22119 named 4u IPv4 5375686 UDP *:32943
> named 22119 named 5u unix 0xd9d1ec40 5375676 /var/run/ndc
> named 22119 named 20u IPv4 5375680 UDP localhost:domain
> named 22119 named 21u IPv4 5375681 TCP localhost:domain (LISTEN)
> and when I change the command to start bind to :
> start-stop-daemon --chroot /var/lib/chroot/named/ --start --pidfile
> /var/run/named.pid --exec /usr/sbin/named -- -u named -g named
> I see:
> # lsof -p 23433
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> named 23433 named cwd DIR 8,22 4096 145479 /var/lib/chroot/named/var/cache/bind
> named 23433 named rtd DIR 8,22 4096 145467 /var/lib/chroot/named
> named 23433 named txt REG 8,22 512088 145502 /var/lib/chroot/named/usr/sbin/named
> named 23433 named mem REG 8,22 82503 145501 /var/lib/chroot/named/lib/ld-linux.so.2
> named 23433 named mem REG 8,22 1145456 145500 /var/lib/chroot/named/lib/libc.so.6
> named 23433 named mem REG 8,22 32664 146115 /var/lib/chroot/named/lib/libnss_files.so.2
> named 23433 named 0u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 23433 named 1u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 23433 named 2u CHR 1,3 145480 /var/lib/chroot/named/dev/null
> named 23433 named 3u unix 0xef055a80 5239772 socket
> named 23433 named 4u IPv4 5239784 UDP *:32942
> named 23433 named 5u unix 0xeee6d140 5239774 /var/run/ndc
> named 23433 named 20u IPv4 5239778 UDP localhost:domain
> named 23433 named 21u IPv4 5239779 TCP localhost:domain (LISTEN)
> Look at the difference in the libraries, as I can see when I start named
> as stated in the script the libraries in the chrooted environment are
> not used....
> Am I wrong here?
Wrong in asssuming that named's dynamic libraries are linked in after
named has chorooted? Yes. Dynamic linking *must* take place before the
program gets control, or how could it use a library function otherwise?
You may need the libraries in the jail if named runs external programs.
AFAIR, named versions 4 and 8 do that, version 9 doesn't.
HTH,
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be |
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..." |
Reply to: