Setting up chroot on Solaris 9 with BIND 9 -t switch
Sten Carlsen
ccc2716 at vip.cybercity.dk
Thu Jan 6 01:38:17 UTC 2005
As described in an earlier post, you can't. What I propose is a method
to check that bind really does go to the jail and use the data there and
does not stay in the main file system.
I am not aware of other options.
CERNINO CERNINO wrote:
>
> okay,
> but how can i test the jail?
> when i start the named i would can access with the user to the jail.
>
> Atte.
> César...
>
>> From: Sten Carlsen <ccc2716 at vip.cybercity.dk>
>> To: Bill Larson <bind9 at comcast.net>
>> CC: "kaiser_cernino at hotmail.com" <kaiser_cernino at hotmail.com>,
>> comp-protocols-dns-bind at isc.org
>> Subject: Re: Setting up chroot on Solaris 9 with BIND 9 -t switch
>> Date: Thu, 06 Jan 2005 01:26:30 +0100
>>
>> You could have two different sets of information in the configs in
>> the jail and outside. You could then query for this special info to
>> see which set of the two it uses. As I understand it, it must use
>> the one in the jail if it works.
>>
>> Bill Larson wrote:
>>
>>> On Jan 5, 2005, at 11:20 AM, kaiser_cernino at hotmail.com wrote:
>>>
>>>
>>>> I was doing a jail for my dns server (named), but have 1 big problem,
>>>> my jail dont function.
>>>> I read a lot papers about this, but ever when i can access with my
>>>> named user to the jail, this user can see the wide system , in other
>>>> words dont see the jail.
>>>>
>>>> PLZZZZZZZZZZZ!
>>>> i need a procedure of how can i do a jail using solaris 9, and how can
>>>> test this jail do its job.
>>>>
>>>> The service without jail is perfect.
>>>> Iam using;
>>>> SOLARIS 9
>>>> BIND 9.3 downloaded from www.blastwave.org
>>>>
>>>> To consider:
>>>> To test the jail, i set a bash shell to the user asigned to named
>>>> jail.
>>>>
>>>>
>>>
>>> Take a look at the "Secure BIND Template" at
>>> http://www.cymru.com/Documents/secure-bind-template.html. There is
>>> a section about configuring a chroot environment for Solaris.
>>>
>>> Please note that the only way to test a chroot environment for BIND
>>> is to break out of the BIND application itself over port 53. There
>>> is no way to "log into the system as the chroot user" through the
>>> named process. Basically, you will have to trust that the chroot
>>> environment functions properly. It will if you have set up the
>>> chroot directory structure and are running "named" with the "-t"
>>> option.
>>>
>>> Bill Larson
>>>
>>>
>>>
>>>
>>
>> --
>> Best regards
>>
>> Sten Carlsen
>>
>> Let HIM who has an empty INBOX send the first mail.
>>
>> << smime.p7s >>
>
>
>
--
Best regards
Sten Carlsen
Let HIM who has an empty INBOX send the first mail.
-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
-- Desc: S/MIME Cryptographic Signature
More information about the bind-users
mailing list