david wrote:
At 10:02 PM 4/20/2004, you wrote:
So, David. Do you understand yet? Or has this all caused more confusion?
If not, do a little research on chroot. Then go back and re-read the
named release notes, that should help it make a little more sense.
It will be worth your while. Chroot is a very powerful security tool and
every unix/linux admin should understand it.
Eric
Thanks for the non accusatory response. Here's what I've learned.
Perhaps someone can reformulate into intelligible text.
If you include bind-chroot in your system (not sure what "include"
means, help needed), then the NAMED service automatically prefixes
/var/named/chroot/ in front of path names. This means that what you
thought of as /etc/named.conf becomes /var/named/chroot/etc/named.conf.
In your "named.conf" file, if you specify a directory for your zone
files, this same prefixing occurs.'
Er, not quite. bind-chroot runs named as a non-privileged user in a
chroot()ed environment. This means that "/" for the named process will
be "/var/named/chroot". Even if someone hacks in, they can't see any
directories ABOVE that and they're stuck as the unprivileged user.
See chroot(2) ("man 2 chroot") for details on how that works.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- The light at the end of the tunnel is really an oncoming train. -
----------------------------------------------------------------------
