Setting up chroot on Solaris 9 with BIND 9 -t switch

Sten Carlsen ccc2716 at vip.cybercity.dk
Thu Jan 6 01:38:17 UTC 2005 

As described in an earlier post, you can't. What I propose is a method 
to check that bind really does go to the jail and use the data there and 
does not stay in the main file system.
I am not aware of other options.

CERNINO CERNINO wrote:

>
> okay,
> but  how can i test the jail?
> when i start the named i would can access with the user to the jail.
>
> Atte.
> César...
>
>> From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>> To: Bill Larson <bind9 at comcast.net>
>> CC: "kaiser_cernino at hotmail.com" <kaiser_cernino at hotmail.com>,  
>> comp-protocols-dns-bind at isc.org
>> Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>> Date: Thu, 06 Jan 2005 01:26:30 +0100
>>
>> You could have two different sets of information in the configs in 
>> the jail and outside. You could then query for this special info to 
>> see which set of the two it uses. As  I understand it, it must use 
>> the one in the jail if it works.
>>
>> Bill Larson wrote:
>>
>>> On Jan 5, 2005, at 11:20 AM, kaiser_cernino at hotmail.com wrote:
>>>
>>>
>>>> I was doing a jail for my dns server (named), but have 1 big problem,
>>>> my jail dont function.
>>>> I read a lot papers about this, but ever when i can access with my
>>>> named user to the jail, this user can see the wide system , in other
>>>> words dont see the jail.
>>>>
>>>> PLZZZZZZZZZZZ!
>>>> i need a procedure of how can i do a jail using solaris 9, and how can
>>>> test this jail do its job.
>>>>
>>>> The service without jail is perfect.
>>>> Iam using;
>>>> SOLARIS 9
>>>> BIND 9.3 downloaded from www.blastwave.org
>>>>
>>>> To consider:
>>>> To test the jail, i set a bash shell to the user asigned to named 
>>>> jail.
>>>>
>>>>
>>>
>>> Take a look at the "Secure BIND Template" at 
>>> http://www.cymru.com/Documents/secure-bind-template.html.  There is 
>>> a section about configuring a chroot environment for Solaris.
>>>
>>> Please note that the only way to test a chroot environment for BIND 
>>> is to break out of the BIND application itself over port 53.  There 
>>> is no way to "log into the system as the chroot user" through the 
>>> named process.  Basically, you will have to trust that the chroot 
>>> environment functions properly.  It will if you have set up the 
>>> chroot directory structure and are running "named" with the "-t" 
>>> option.
>>>
>>> Bill Larson
>>>
>>>
>>>
>>>
>>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> Let HIM who has an empty INBOX send the first mail.
>>
>> << smime.p7s >>
>
>
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.



-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
-- Desc: S/MIME Cryptographic Signature

More information about the bind-users mailing list