Date: Fri, 26 Apr 2002 07:49:21 +1000 From: Mark.Andrews@isc.org To: SecLists <lists@secure.stargate.net> Cc: Mike Roest <bsd-lists@blahz.ab.ca>, "'Moti'" <moti@flncs.com>, freebsd-security@freebsd.org Subject: Re: bind9 in a chroot ? Message-ID: <200204252149.g3PLnLx78490@drugs.dv.isc.org> In-Reply-To: Your message of "25 Apr 2002 14:09:06 -0400." <1019758146.9372.23.camel@interrogation.ws.pitdc1.stargate.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> You can use lsof to view all open files used by named... if you do that > you will see that it is not actually chrooted at all... Please retract this mis-statement. It *is* chrooted. You should learn to read the output of your tools. See the entry with 'rtd'. That's the root directory for this process. You will note that it says that the root directory for this process lives on the /var filesystem. As for the other entries. They are the text image of the process. Mark > using the same > option with bind9 built from source on OpenBSD, and chrooted into > /var/named by the -t option: > > (root@doberman) ~ # lsof | grep named > named 18211 named cwd VDIR 0,20 512 1140352 /var > (/dev/wd1e) > named 18211 named rtd VDIR 0,20 512 1140352 /var > (/dev/wd1e) > named 18211 named txt VREG 0,19 5892042 719229 /usr > (/dev/wd1d) > named 18211 named txt VREG 0,19 61440 1374538 > /usr/libexec/ld.so > named 18211 named txt VREG 0,20 6429 1163022 > /var/run/ld.so.hints > named 18211 named txt VREG 0,19 594040 1669247 > /usr/lib/libc.so.26.2 > > You can see that the process is actually accessing files in /usr and > /var that are outside of the chroot jail... > > To do it better than this: > http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html > > thanks, > shawn > > On Thu, 2002-04-25 at 13:43, Mike Roest wrote: > > Yep it is running in the chroot. The -t /etc/chroot shows that. I > > think that's the only real way to tell > > > > --Mike > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti > > Sent: Thursday, April 25, 2002 9:55 AM > > To: freebsd-security@freebsd.org > > Subject: bind9 in a chroot ? > > > > > > o.k > > i followed the instructions and i'm quite sure i have it all right ( dns > > working and all ) > > question is : how do i verify that my bind is really running chrooted ? > > will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 ?? > > Ss > > 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c > > /etc/namedb/named.conf -t > > /etc/chroot > > be enough ? > > Moti > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204252149.g3PLnLx78490>