[Dshield] Re: chroot BIND

Dragos Ruiu dr at kyx.net
Thu Nov 14 12:28:16 GMT 2002


You might want to look at the OpenBSD implementation of chroot BIND
to crib from. They've had it for some time...

cheers,
--dr

On November 14, 2002 08:01 pm, Johannes Ullrich wrote:
> >   Doesn't BIND allow you to jail the app on its own/
>
> yes.
>
> >   I start it up with the options named -u 'username_to_run_as' -t
> > /directory/to/jail.
>
> But your still need to setup the 'jail' (/directory/to/jail) to
> contain all the necessary files, as named will not be able to
> access any files outside of the jail. At a minimum, these are the
> config files and /dev/null. You will also need the libraries (unless
> you compile static) and a couple extra things, like /dev/random for
> the secure dns/tsig stuff.
>
> >   Is there some vulnerability I should be aware of with this setup?
>
> no. but it will just not work if the jail is not setup right.
>
> >   thanks in advance
> >
> >   Pat Evans
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list

-- 
dr at kyx.net   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002




More information about the list mailing list