[Dshield] Re: chroot BIND
dr at kyx.net
Thu Nov 14 12:28:16 GMT 2002
You might want to look at the OpenBSD implementation of chroot BIND
to crib from. They've had it for some time...
On November 14, 2002 08:01 pm, Johannes Ullrich wrote:
> > Doesn't BIND allow you to jail the app on its own/
> > I start it up with the options named -u 'username_to_run_as' -t
> > /directory/to/jail.
> But your still need to setup the 'jail' (/directory/to/jail) to
> contain all the necessary files, as named will not be able to
> access any files outside of the jail. At a minimum, these are the
> config files and /dev/null. You will also need the libraries (unless
> you compile static) and a couple extra things, like /dev/random for
> the secure dns/tsig stuff.
> > Is there some vulnerability I should be aware of with this setup?
> no. but it will just not work if the jail is not setup right.
> > thanks in advance
> > Pat Evans
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
dr at kyx.net pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
More information about the list