Date: 25 Apr 2002 14:09:06 -0400 From: SecLists <lists@secure.stargate.net> To: Mike Roest <bsd-lists@blahz.ab.ca> Cc: 'Moti' <moti@flncs.com>, freebsd-security@freebsd.org Subject: RE: bind9 in a chroot ? Message-ID: <1019758146.9372.23.camel@interrogation.ws.pitdc1.stargate.net> In-Reply-To: <000401c1ec80$ac5c8c80$465d4018@zeus> References: <000401c1ec80$ac5c8c80$465d4018@zeus>
next in thread | previous in thread | raw e-mail | index | archive | help
You can use lsof to view all open files used by named... if you do that you will see that it is not actually chrooted at all... using the same option with bind9 built from source on OpenBSD, and chrooted into /var/named by the -t option: (root@doberman) ~ # lsof | grep named named 18211 named cwd VDIR 0,20 512 1140352 /var (/dev/wd1e) named 18211 named rtd VDIR 0,20 512 1140352 /var (/dev/wd1e) named 18211 named txt VREG 0,19 5892042 719229 /usr (/dev/wd1d) named 18211 named txt VREG 0,19 61440 1374538 /usr/libexec/ld.so named 18211 named txt VREG 0,20 6429 1163022 /var/run/ld.so.hints named 18211 named txt VREG 0,19 594040 1669247 /usr/lib/libc.so.26.2 You can see that the process is actually accessing files in /usr and /var that are outside of the chroot jail... To do it better than this: http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO-1.html thanks, shawn On Thu, 2002-04-25 at 13:43, Mike Roest wrote: > Yep it is running in the chroot. The -t /etc/chroot shows that. I > think that's the only real way to tell > > --Mike > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Moti > Sent: Thursday, April 25, 2002 9:55 AM > To: freebsd-security@freebsd.org > Subject: bind9 in a chroot ? > > > o.k > i followed the instructions and i'm quite sure i have it all right ( dns > working and all ) > question is : how do i verify that my bind is really running chrooted ? > will ps -auxw |grep named output -> bind 170 0.0 2.1 3228 2604 ?? > Ss > 11:52AM 0:00.12 /usr/local/sbin/named -u bind -c > /etc/namedb/named.conf -t > /etc/chroot > be enough ? > Moti > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1019758146.9372.23.camel>