chroot-jail ?? whats this

[Lars Hecking]

Duane Cox writes:
> 
> I am going to execute the named daemon with the -u named -g named flags, but what is this talk about -t /jail
> what does that do? why would i want to do that?

 named is run in an environment where /jail becomes the root directory.
 If someone managed to compromise named and gain root access to your files,
 they would only be able to see the files in the chroot jail, which 
 usually are a tiny subset of your overall filesystem, and thus easier
 to control. The only way out of the jail is "up" ( cd .. ), but chrooted
 programs cannot see outside the jail because the parent of / is /.

 A chroot jail needs only provide a minimum subset of files necessary
 to run a certain daemon: shared libs, resolver config files, timezone
 config, a few devices (/dev), daemon config and runtime files. It's a
 good way to keep sensitive files (e.g. /etc/passwd and siblings) out
 of sight.

-- 
Death is God's way of telling you not to be such a wise guy.