chroot-jail ?? whats this
Lawrence Chan
webmaster at montevino.com
Tue Feb 29 04:39:00 UTC 2000
Hello,
When setting up jails with chroot, how many of shared files can be linked or, would all needed files have to be
duplicated below the jail root so as not to defeat the security provided by chroot?
Lawrence Chan
lchan at montevino.com
Lars Hecking wrote:
> Duane Cox writes:
> >
> > I am going to execute the named daemon with the -u named -g named flags, but what is this talk about -t /jail
> > what does that do? why would i want to do that?
>
> named is run in an environment where /jail becomes the root directory.
> If someone managed to compromise named and gain root access to your files,
> they would only be able to see the files in the chroot jail, which
> usually are a tiny subset of your overall filesystem, and thus easier
> to control. The only way out of the jail is "up" ( cd .. ), but chrooted
> programs cannot see outside the jail because the parent of / is /.
>
> A chroot jail needs only provide a minimum subset of files necessary
> to run a certain daemon: shared libs, resolver config files, timezone
> config, a few devices (/dev), daemon config and runtime files. It's a
> good way to keep sensitive files (e.g. /etc/passwd and siblings) out
> of sight.
>
> --
> Death is God's way of telling you not to be such a wise guy.
More information about the bind-users
mailing list