Hello, Bind has the built in ability to chroot itself (-t). then all that needs to be done is altering the bind init script(/etc/init.d/bind), which contains the OPTS variable. Add '-u [username] -t [chroot_dir]' into that variable and you should be ok. I've done this with Bind 8, and now upgraded them to 9. On Tue, 2002-10-29 at 17:35, J.J. van Gorkum wrote: > Hi, I have a question about chrooting bind 8.3.3 > > I have used the setup as described in > http://people.debian.org/~pzn/howto/chroot-bind.sh.txt ... but when I > then start bind evrything looks right but when I do a lsof -p <pid of > named> I see: > > command to start bind: > > start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g > named -t /var/lib/chroot/named/ > > # lsof -p 22119 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > named 22119 named cwd DIR 8,22 4096 145479 > /var/lib/chroot/named/var/cache/bind > named 22119 named rtd DIR 8,22 4096 145467 > /var/lib/chroot/named > named 22119 named txt REG 8,6 512088 130880 > /usr/sbin/named > named 22119 named mem REG 8,5 82503 30185 > /lib/ld-2.2.5.so > named 22119 named mem REG 8,5 1145456 30223 > /lib/libc-2.2.5.so > named 22119 named mem REG 8,5 32664 30232 > /lib/libnss_files-2.2.5.so > named 22119 named 0u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 22119 named 1u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 22119 named 2u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 22119 named 3u unix 0xe1086560 5375674 socket > named 22119 named 4u IPv4 5375686 UDP *:32943 > named 22119 named 5u unix 0xd9d1ec40 5375676 /var/run/ndc > named 22119 named 20u IPv4 5375680 UDP > localhost:domain > named 22119 named 21u IPv4 5375681 TCP > localhost:domain (LISTEN) > > and when I change the command to start bind to : > > start-stop-daemon --chroot /var/lib/chroot/named/ --start --pidfile > /var/run/named.pid --exec /usr/sbin/named -- -u named -g named > > I see: > # lsof -p 23433 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > named 23433 named cwd DIR 8,22 4096 145479 > /var/lib/chroot/named/var/cache/bind > named 23433 named rtd DIR 8,22 4096 145467 > /var/lib/chroot/named > named 23433 named txt REG 8,22 512088 145502 > /var/lib/chroot/named/usr/sbin/named > named 23433 named mem REG 8,22 82503 145501 > /var/lib/chroot/named/lib/ld-linux.so.2 > named 23433 named mem REG 8,22 1145456 145500 > /var/lib/chroot/named/lib/libc.so.6 > named 23433 named mem REG 8,22 32664 146115 > /var/lib/chroot/named/lib/libnss_files.so.2 > named 23433 named 0u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 23433 named 1u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 23433 named 2u CHR 1,3 145480 > /var/lib/chroot/named/dev/null > named 23433 named 3u unix 0xef055a80 5239772 socket > named 23433 named 4u IPv4 5239784 UDP *:32942 > named 23433 named 5u unix 0xeee6d140 5239774 /var/run/ndc > named 23433 named 20u IPv4 5239778 UDP > localhost:domain > named 23433 named 21u IPv4 5239779 TCP > localhost:domain (LISTEN) > > > Look at the difference in the libraries, as I can see when I start named > as stated in the script the libraries in the chrooted environment are > not used.... > > Am I wrong here? > -- > J.J. van Gorkum Knowledge Zone > -- > If UNIX isn't the solution, you've got the wrong problem. > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > -- Sean McAvoy Network Analyst Megawheels Technologies Inc. Phone: 416.360.8211 Fax: 416.360.1403 Cell: 416.616.6599
Attachment:
signature.asc
Description: This is a digitally signed message part