chroot-jail ?? whats this
Lars Hecking
lhecking at nmrc.ucc.ie
Mon Feb 28 22:20:57 UTC 2000
Duane Cox writes:
>
> I am going to execute the named daemon with the -u named -g named flags, but what is this talk about -t /jail
> what does that do? why would i want to do that?
named is run in an environment where /jail becomes the root directory.
If someone managed to compromise named and gain root access to your files,
they would only be able to see the files in the chroot jail, which
usually are a tiny subset of your overall filesystem, and thus easier
to control. The only way out of the jail is "up" ( cd .. ), but chrooted
programs cannot see outside the jail because the parent of / is /.
A chroot jail needs only provide a minimum subset of files necessary
to run a certain daemon: shared libs, resolver config files, timezone
config, a few devices (/dev), daemon config and runtime files. It's a
good way to keep sensitive files (e.g. /etc/passwd and siblings) out
of sight.
--
Death is God's way of telling you not to be such a wise guy.
More information about the bind-users
mailing list