Setting up chroot on Solaris 9 with BIND 9 -t switch
CERNINO CERNINO
kaiser_cernino at hotmail.com
Thu Jan 6 04:02:20 UTC 2005
i understand now,
i had a error in concept,
i jailed the process named,
& i thought consecuently jailed a user in a jailed for this.
when i did a jailed, the process ran in my new root, oh yeah,
But i have a question, what gain with jailed the process?
& if you kown then how can i jailed a user to only see a carpet as his root,
to then put the process & its dependecies into, as a new politic of security
for the user.
can i do a user that cant get out of a carpet in other words, jailed in a
carpet as his home directory?
Oh, friends thx for all ur help!
César...
>From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>To: CERNINO CERNINO <kaiser_cernino at hotmail.com>
>CC: comp-protocols-dns-bind at isc.org
>Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>Date: Thu, 06 Jan 2005 02:38:17 +0100
>
>As described in an earlier post, you can't. What I propose is a method to
>check that bind really does go to the jail and use the data there and does
>not stay in the main file system.
>
>I am not aware of other options.
>
>CERNINO CERNINO wrote:
>
>>
>>okay,
>>but how can i test the jail?
>>when i start the named i would can access with the user to the jail.
>>
>>Atte.
>>César...
>>
>>>From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>>>To: Bill Larson <bind9 at comcast.net>
>>>CC: "kaiser_cernino at hotmail.com" <kaiser_cernino at hotmail.com>,
>>>comp-protocols-dns-bind at isc.org
>>>Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>>>Date: Thu, 06 Jan 2005 01:26:30 +0100
>>>
>>>You could have two different sets of information in the configs in the
>>>jail and outside. You could then query for this special info to see which
>>>set of the two it uses. As I understand it, it must use the one in the
>>>jail if it works.
>>>
>>>Bill Larson wrote:
>>>
>>>>On Jan 5, 2005, at 11:20 AM, kaiser_cernino at hotmail.com wrote:
>>>>
>>>>
>>>>>I was doing a jail for my dns server (named), but have 1 big problem,
>>>>>my jail dont function.
>>>>>I read a lot papers about this, but ever when i can access with my
>>>>>named user to the jail, this user can see the wide system , in other
>>>>>words dont see the jail.
>>>>>
>>>>>PLZZZZZZZZZZZ!
>>>>>i need a procedure of how can i do a jail using solaris 9, and how can
>>>>>test this jail do its job.
>>>>>
>>>>>The service without jail is perfect.
>>>>>Iam using;
>>>>>SOLARIS 9
>>>>>BIND 9.3 downloaded from www.blastwave.org
>>>>>
>>>>>To consider:
>>>>>To test the jail, i set a bash shell to the user asigned to named jail.
>>>>>
>>>>>
>>>>
>>>>Take a look at the "Secure BIND Template" at
>>>>http://www.cymru.com/Documents/secure-bind-template.html. There is a
>>>>section about configuring a chroot environment for Solaris.
>>>>
>>>>Please note that the only way to test a chroot environment for BIND is
>>>>to break out of the BIND application itself over port 53. There is no
>>>>way to "log into the system as the chroot user" through the named
>>>>process. Basically, you will have to trust that the chroot environment
>>>>functions properly. It will if you have set up the chroot directory
>>>>structure and are running "named" with the "-t" option.
>>>>
>>>>Bill Larson
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>Best regards
>>>
>>>Sten Carlsen
>>>
>>>Let HIM who has an empty INBOX send the first mail.
>>>
>>><< smime.p7s >>
>>
>>
>>
>
>--
>Best regards
>
>Sten Carlsen
>
>Let HIM who has an empty INBOX send the first mail.
>
>
><< smime.p7s >>
More information about the bind-users
mailing list