Same results running with named -u uname -t /jail_dir

No error output to stdout or any syslogs. Truss shows that it exits with a
status code of 1 and shows most of the same err#2 & err#25 errors in the
trace.

Does anyone know of the required devices needed to chroot BIND on AIX? I
have dev/null, dev/random, dev/tcp, dev/udp, & dev/zero created in the jail
with the same device numbers as shown by ls -lL on the devices in /dev

Thanks...

Justin Dixon

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On Behalf
Of Kevin Darcy
Sent: Friday, June 23, 2006 22:34
To: 'bind-users@isc.org'
Subject: Re: Compiling/Running BIND-9.3.2 in chroot jail on AIX 5.3

Dixon, Justin wrote:
> Has anyone attempted/had success trying to run BIND 9.3.2 in a chroot jail
> on AIX 5.3?
>
> I have compiled using the following: ./configure --prefix=/usr/local and
> installed to a jail on a separate mount point.
> I have created dev/null, dev/random, dev/zero, dev/tcp, dev/udp in the

jail.
> I have copied all libraries that ldd returned along with some others that

a
> truss of named said were missing to the respective directories under the
> jail.
>
> Named still does not start when running chroot /jail /usr/local/sbin/named
> -u username and truss returns quite a few err#2 and err#25 codes.
>
> I used the following for reference when trying to set this up:
>
> http://www.cymru.com/Documents/secur...-template.html
> http://www.boran.com/security/sp/bind9_20010430.html
>

Do you get any better results when you chroot via named's built-in "-t"
mechanism?

I remain mystified as to why all of these "HOWTO" writers prefer to
chroot named through a separate program, as opposed to simply using the
chroot capability that is already built into the program.

If it's still not working, what kind of error is it giving on startup, I
mean, what is actually being *output* as the error? truss is all fine
and dandy, but I'm not sure what you mean by err#2 and err#25. If you
mean the standard "errno" mappings, 2 is ENOENT -- you're trying to
access something that isn't there, e.g. a non-existent file, and 25 is
ENOTTY -- "inappropriate ioctl" or the classic "not a typewriter" error
-- which you generally see when you try to do a tty-ish ioctl on a
non-tty device. The ENOTTY is probably eminently ignorable; as for the
ENOENT, take a look at the pathname of the thing it's trying to access:
maybe you've got the directory structure a bit wrong somewhere...


- Kevin