Compiling/Running BIND-9.3.2 in chroot jail on AIX 5.3

Dixon, Justin Justin.Dixon at BBandT.com
Mon Jun 26 18:12:05 UTC 2006 

Same results running with named -u uname -t /jail_dir

No error output to stdout or any syslogs. Truss shows that it exits with a
status code of 1 and shows most of the same err#2 & err#25 errors in the
trace.

Does anyone know of the required devices needed to chroot BIND on AIX? I
have dev/null, dev/random, dev/tcp, dev/udp, & dev/zero created in the jail
with the same device numbers as shown by ls -lL on the devices in /dev

Thanks...

Justin Dixon

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
Of Kevin Darcy
Sent: Friday, June 23, 2006 22:34
To: 'bind-users at isc.org'
Subject: Re: Compiling/Running BIND-9.3.2 in chroot jail on AIX 5.3

Dixon, Justin wrote:
> Has anyone attempted/had success trying to run BIND 9.3.2 in a chroot jail
> on AIX 5.3?
>
> I have compiled using the following: ./configure --prefix=/usr/local and
> installed to a jail on a separate mount point.
> I have created dev/null, dev/random, dev/zero, dev/tcp, dev/udp in the
jail.
> I have copied all libraries that ldd returned along with some others that
a
> truss of named said were missing to the respective directories under the
> jail.
>
> Named still does not start when running chroot /jail /usr/local/sbin/named
> -u username and truss returns quite a few err#2 and err#25 codes.
>
> I used the following for reference when trying to set this up:
>
> http://www.cymru.com/Documents/secure-bind-template.html 
> http://www.boran.com/security/sp/bind9_20010430.html 
>   
Do you get any better results when you chroot via named's built-in "-t" 
mechanism?

I remain mystified as to why all of these "HOWTO" writers prefer to 
chroot named through a separate program, as opposed to simply using the 
chroot capability that is already built into the program.

If it's still not working, what kind of error is it giving on startup, I 
mean, what is actually being *output* as the error? truss is all fine 
and dandy, but I'm not sure what you mean by err#2 and err#25. If you 
mean the standard "errno" mappings, 2 is ENOENT -- you're trying to 
access something that isn't there, e.g. a non-existent file, and 25 is 
ENOTTY -- "inappropriate ioctl" or the classic "not a typewriter" error 
-- which you generally see when you try to do a tty-ish ioctl on a 
non-tty device. The ENOTTY is probably eminently ignorable; as for the 
ENOENT, take a look at the pathname of the thing it's trying to access: 
maybe you've got the directory structure a bit wrong somewhere...

                                                                         
                        - Kevin

More information about the bind-users mailing list