Dixon, Justin wrote:
> Has anyone attempted/had success trying to run BIND 9.3.2 in a chroot jail
> on AIX 5.3?
>
> I have compiled using the following: ./configure --prefix=/usr/local and
> installed to a jail on a separate mount point.
> I have created dev/null, dev/random, dev/zero, dev/tcp, dev/udp in the jail.
> I have copied all libraries that ldd returned along with some others that a
> truss of named said were missing to the respective directories under the
> jail.
>
> Named still does not start when running chroot /jail /usr/local/sbin/named
> -u username and truss returns quite a few err#2 and err#25 codes.
>
> I used the following for reference when trying to set this up:
>
> http://www.cymru.com/Documents/secur...-template.html
> http://www.boran.com/security/sp/bind9_20010430.html
>

Do you get any better results when you chroot via named's built-in "-t"
mechanism?

I remain mystified as to why all of these "HOWTO" writers prefer to
chroot named through a separate program, as opposed to simply using the
chroot capability that is already built into the program.

If it's still not working, what kind of error is it giving on startup, I
mean, what is actually being *output* as the error? truss is all fine
and dandy, but I'm not sure what you mean by err#2 and err#25. If you
mean the standard "errno" mappings, 2 is ENOENT -- you're trying to
access something that isn't there, e.g. a non-existent file, and 25 is
ENOTTY -- "inappropriate ioctl" or the classic "not a typewriter" error
-- which you generally see when you try to do a tty-ish ioctl on a
non-tty device. The ENOTTY is probably eminently ignorable; as for the
ENOENT, take a look at the pathname of the thing it's trying to access:
maybe you've got the directory structure a bit wrong somewhere...


- Kevin