[Dshield] Re: chroot BIND

Johannes Ullrich jullrich at euclidian.com
Thu Nov 14 20:01:12 GMT 2002


>   Doesn't BIND allow you to jail the app on its own/
yes.

>   I start it up with the options named -u 'username_to_run_as' -t 
> /directory/to/jail.

But your still need to setup the 'jail' (/directory/to/jail) to
contain all the necessary files, as named will not be able to
access any files outside of the jail. At a minimum, these are the
config files and /dev/null. You will also need the libraries (unless
you compile static) and a couple extra things, like /dev/random for
the secure dns/tsig stuff.


> 
>   Is there some vulnerability I should be aware of with this setup?

no. but it will just not work if the jail is not setup right.


> 
>   thanks in advance
> 
>   Pat Evans
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021114/cef12b90/attachment.bin


More information about the list mailing list