chrooting bind
Barry Margolin
barmar at genuity.net
Wed Aug 15 22:08:57 UTC 2001
In article <9leria$1rt at pub3.rc.vix.com>,
Christopher L. Barnard <cbar44 at tsg.cbot.com> wrote:
>
>Kevin Darcy responded:
>
>> Why are you using /usr/sbin/chroot to chroot named instead of named's
>> built-in chroot mechanism (-t)?
>> The way you're doing it, you need to populate the chroot jail with all sorts
>> of crap. The lack of some library or device node or whatever is probably
>> what is causing the startup to fail.
>
>Because using named's built in -t flag means that the daemon starts in a
>non-chrooted setup, and then once it is going it looks to the chrooted area
>for the zone files, etc. By starting the daemon already in the chrooted jail,
>if someone by some preposterous chance is able to break in through the name
>daemon itself, there is No Way (tm) he or she could see the rest of the
>system.
>
>Yes, I am being overly, excessively, and absurdly cautious.
I think you misunderstand how chroot works. Once you're in the jail,
you're trapped in it. It doesn't matter whether you locked yourself in or
were born there. You still can't see the rest of the system.
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list