Setting up chroot on Solaris 9 with BIND 9 -t switch

Sten Carlsen stenc at s-carlsen.dk
Thu Jan 6 16:08:05 UTC 2005 

This is basically correct.
You could do an experiment:

do a chroot with a shell as the executed program and see what you can 
and cannot do from this shell

Also man chroot

CERNINO CERNINO wrote:

> i understand now,
> i had a error in concept,
> i jailed the process named,
> & i thought consecuently jailed a user in a jailed for this.
> when i did a jailed, the process ran in my new root, oh yeah,
>
> But i have a question, what gain with jailed the process?
> & if you kown then how can i jailed a user to only see a carpet as his 
> root, to then put the process & its dependecies into, as a new politic 
> of security for the user.
> can i do a user that cant get out of a carpet in other words, jailed 
> in a carpet as his home directory?
>
> Oh, friends thx for all ur help!
>
> César...
>
>
>> From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>> To: CERNINO CERNINO <kaiser_cernino at hotmail.com>
>> CC: comp-protocols-dns-bind at isc.org
>> Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>> Date: Thu, 06 Jan 2005 02:38:17 +0100
>>
>> As described in an earlier post, you can't. What I propose is a 
>> method to check that bind really does go to the jail and use the data 
>> there and does not stay in the main file system.
>>
>> I am not aware of other options.
>>
>> CERNINO CERNINO wrote:
>>
>>>
>>> okay,
>>> but  how can i test the jail?
>>> when i start the named i would can access with the user to the jail.
>>>
>>> Atte.
>>> César...
>>>
>>>> From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>>>> To: Bill Larson <bind9 at comcast.net>
>>>> CC: "kaiser_cernino at hotmail.com" <kaiser_cernino at hotmail.com>,  
>>>> comp-protocols-dns-bind at isc.org
>>>> Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>>>> Date: Thu, 06 Jan 2005 01:26:30 +0100
>>>>
>>>> You could have two different sets of information in the configs in 
>>>> the jail and outside. You could then query for this special info to 
>>>> see which set of the two it uses. As  I understand it, it must use 
>>>> the one in the jail if it works.
>>>>
>>>> Bill Larson wrote:
>>>>
>>>>> On Jan 5, 2005, at 11:20 AM, kaiser_cernino at hotmail.com wrote:
>>>>>
>>>>>
>>>>>> I was doing a jail for my dns server (named), but have 1 big 
>>>>>> problem,
>>>>>> my jail dont function.
>>>>>> I read a lot papers about this, but ever when i can access with my
>>>>>> named user to the jail, this user can see the wide system , in other
>>>>>> words dont see the jail.
>>>>>>
>>>>>> PLZZZZZZZZZZZ!
>>>>>> i need a procedure of how can i do a jail using solaris 9, and 
>>>>>> how can
>>>>>> test this jail do its job.
>>>>>>
>>>>>> The service without jail is perfect.
>>>>>> Iam using;
>>>>>> SOLARIS 9
>>>>>> BIND 9.3 downloaded from www.blastwave.org
>>>>>>
>>>>>> To consider:
>>>>>> To test the jail, i set a bash shell to the user asigned to named 
>>>>>> jail.
>>>>>>
>>>>>>
>>>>>
>>>>> Take a look at the "Secure BIND Template" at 
>>>>> http://www.cymru.com/Documents/secure-bind-template.html.  There 
>>>>> is a section about configuring a chroot environment for Solaris.
>>>>>
>>>>> Please note that the only way to test a chroot environment for 
>>>>> BIND is to break out of the BIND application itself over port 53.  
>>>>> There is no way to "log into the system as the chroot user" 
>>>>> through the named process.  Basically, you will have to trust that 
>>>>> the chroot environment functions properly.  It will if you have 
>>>>> set up the chroot directory structure and are running "named" with 
>>>>> the "-t" option.
>>>>>
>>>>> Bill Larson
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Best regards
>>>>
>>>> Sten Carlsen
>>>>
>>>> Let HIM who has an empty INBOX send the first mail.
>>>>
>>>> << smime.p7s >>
>>>
>>>
>>>
>>>
>>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> Let HIM who has an empty INBOX send the first mail.
>>
>>
>> << smime.p7s >>
>
>
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 



-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
-- Desc: S/MIME Cryptographic Signature

More information about the bind-users mailing list