chroot query

[Doug Barton]

On 4 Oct 2002, david doherty wrote:

>
> thanks for the help. I will take a look at the configuration of my
> /jail again. It is bugging me as trussing the process does not give me
> a great deal of information as to why the user 'named' cannot be
> found.

Umm... didn't Mark already answer this question? You don't have the right
password files in /jail/etc. While opinions differ on this point, I think
most of us feel that rather than using chroot /blah named, you're better
off using named -t /blah. That way, you don't have to duplicate your
entire operating system under /blah. You just need to copy the things
named needs to see after it's chroot'ed itself. For bind 8 that's:

/blah/dev/null
    /etc/localtime

For your convenience, you probably also want /blah/var/run, and you should
have directories for your master and slave zones, etc. For bind 9 you also
need a /blah/dev/random. My chroot tree looks like this:

/var/named
/var/named/dev
/var/named/dev/null
/var/named/dev/random
/var/named/etc
/var/named/etc/namedb
/var/named/etc/namedb/master
/var/named/etc/namedb/master/bind.db
/var/named/etc/namedb/master/root.hints
/var/named/etc/namedb/master/rfc1537.db
/var/named/etc/namedb/named.conf
/var/named/etc/namedb/rndc.key
/var/named/etc/namedb/slave
/var/named/etc/localtime
/var/named/var
/var/named/var/dump
/var/named/var/log
/var/named/var/run

That's it (minus the zone files of course). I actually feel that it's a
lot more secure to keep the binaries OUT of the chroot area. That way
there is even less for the attacker to compromise.

HTH,

Doug

-- 
   "We have known freedom's price. We have shown freedom's power.
      And in this great conflict, ...  we will see freedom's victory."
	- George W. Bush, President of the United States
          State of the Union, January 28, 2002

         Do YOU Yahoo!?