Documentation for Bind in Fedora Core 1
Rick Stevens
rstevens at vitalstream.com
Wed Apr 21 18:46:36 UTC 2004
david wrote:
> At 10:02 PM 4/20/2004, you wrote:
>
>> So, David. Do you understand yet? Or has this all caused more confusion?
>>
>> If not, do a little research on chroot. Then go back and re-read the
>> named release notes, that should help it make a little more sense.
>>
>> It will be worth your while. Chroot is a very powerful security tool and
>> every unix/linux admin should understand it.
>
>
>
> Eric
>
> Thanks for the non accusatory response. Here's what I've learned.
> Perhaps someone can reformulate into intelligible text.
>
>
> If you include bind-chroot in your system (not sure what "include"
> means, help needed), then the NAMED service automatically prefixes
> /var/named/chroot/ in front of path names. This means that what you
> thought of as /etc/named.conf becomes /var/named/chroot/etc/named.conf.
> In your "named.conf" file, if you specify a directory for your zone
> files, this same prefixing occurs.'
Er, not quite. bind-chroot runs named as a non-privileged user in a
chroot()ed environment. This means that "/" for the named process will
be "/var/named/chroot". Even if someone hacks in, they can't see any
directories ABOVE that and they're stuck as the unprivileged user.
See chroot(2) ("man 2 chroot") for details on how that works.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- The light at the end of the tunnel is really an oncoming train. -
----------------------------------------------------------------------
More information about the fedora-list
mailing list