chroot no named process

Wed Aug 1 11:36:12 UTC 2001

Michael,

If you use chroot to run Bind chroot-ed (instead of the internal mechanism)
you need to set up a proper 'jail' first. Because when you do 'chroot
/opt/jail /usr/local/sbin/named -u named' the named process will first be
put into it's jail, after which it will try to find the UID for the user
'named' in the password file. If your jail does not have an /etc/passwd file
whit the user named in it, this will fail, and I guess the process will bail
out. You also need some libraries set up etc... Running any process in a
chrooted environment requires some work, it's not just Bind.

Anyways, the following URL has been very helpfull to me in this regard: 

http://www.securityportal.com/cover/coverstory20001002.html

Cheers,

Berend

> -----Original Message-----
> From: Michael Kjorling [mailto:michael at kjorling.com]
> Sent: Wednesday, August 01, 2001 1:50 AM
> To: BIND-Users
> Subject: Re: chroot no named process
> 
> 
> --- Virus checked / op virussen gecontroleerd ---
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> What happens if you try to use BIND's internal chroot mechanism like
> so?
> 
> 	/usr/local/sbin/named -u named -t /opt/jail -c 
> /var/named/named/named.conf
> 
> 
> Michael Kjörling
> 
> 
> On Jul 31 2001 16:17 -0700, morgan lynder wrote:
> 
> > Hello,
> > I have just installed BIND 9.1.3 on solaris 7. It
> > worked great. Next I decided to do a chroot
> > installation. I am starting named as follows:
> >
> > /usr/sbin/chroot /opt/jail usr/local/sbin/named -c
> > var/named/named/named.conf
> >
> > Now this will work and the daemon will fire up just
> > fine and I can see it running as root in a ps listing.
> > Now if I add the -u switch as follows:
> >
> > /usr/sbin/chroot /opt/jail usr/local/sbin/named -c
> > var/named/named/named.conf  -u named
> >
> > The ps listing will not show this process,
> > /var/adm/messages shows no exiting and ps will write
> > to its pid file /var/run/pid too. Yet the process does
> > not apear to be running anywhere. Does anyone have any
> > ideas ?
> >
> > Thanks
> > Klaus
> 
> - -- 
> Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
> Manager Wolf.COM -- Programmer -- Network Administrator
> "We must be the change we wish to see" (Mahatma Gandhi)
> 
> ^..^     Support the wolves in Norway -- go to     ^..^
>  \/   http://home.no.net/ulvelist/protest_int.htm   \/
> 
> ***** Please only send me emails which concern me *****
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7Z0RJKqN7/Ypw4z4RAouXAKCAU90vbmnwR2bo6AxUcs7mGfLyBgCeMvod
> TGEu9Cm/KYYt4uNisXUpOF0=
> =PbsT
> -----END PGP SIGNATURE-----
> --- Virus checked / op virussen gecontroleerd ---
> 
> 
> 
> 

**********************************************************************
De informatie verzonden met dit e-mailbericht (en bijlagen)
is uitsluitend bestemd voor de geadresseerde(n) en zij die
van de geadresseerde(n) toestemming kregen dit bericht te
lezen. Gebruik door anderen dan geadresseerde(n) is
verboden. De informatie in dit e-mailbericht (en bijlagen)
kan vertrouwelijk van aard zijn en kan binnen het bereik
vallen van een geheimhoudingsplicht en een verschonings-
recht.

Any information transmitted by means of this email (and any
of its attachments) is intended exclusively for the addressee
or addressees and for those authorized by the addressee
or addressees to read this message. Any use by a party
other than the addressee or addressees is prohibited.
The information contained in this email (or any of its 
attachments) may be confidential in nature and fall under a
pledge of secrecy and the attorney-client privilege.
**********************************************************************