Hi, it has been long and arduous, but now my BIND is properly running chroot()-ed. The problem was with named-xfer that failed trying to open /dev/zero with a ENXIO error. In the end, I recompiler named-xfer statically, and all the errors disappeared. Note that all the library referenced by ldd and by truss WERE in the chroot jail. Thanks to all who responded (far too many to list, I got more than 20 answers, both here and on focus-sun@securityfocus.com). On Wed, 7 Mar 2001, Christophe Dupre wrote: > > Until now, thanks to: > Casper Dik > Eric Paul > Darren Dunham > > I had made a type for the /dev/zero file, and my jail was mounted nosuid. > So I made the changes: > /opt on /dev/md/dsk/d10 read/write/setuid/largefiles/logging on Wed Mar 7 > 10:47:02 2001 > > server1:/opt/named/dev ls -l /opt/named/dev/ > total 0 > crw-rw-rw- 1 root root 13, 2 Mar 6 15:29 null > crw-rw-rw- 1 root root 13, 12 Mar 7 10:47 zero > > I do have the required libraries in the jail: > server1:/opt/named/dev ls -l /opt/named/lib/ > total 4498 > -rwxr-xr-x 1 root other 183060 Mar 7 09:05 ld.so.1 > -rwxr-xr-x 1 root other 1124692 Mar 7 09:05 libc.so.1 > -rwxr-xr-x 1 root other 17256 Mar 7 09:05 libc_psr.so.1 > -rwxr-xr-x 1 root other 4600 Mar 7 09:05 libdl.so.1 > -rwxr-xr-x 1 root other 15336 Mar 7 09:05 libl.so.1 > -rwxr-xr-x 1 root other 19876 Mar 7 09:05 libmp.so.2 > -rwxr-xr-x 1 root other 837300 Mar 7 09:05 libnsl.so.1 > -rwxr-xr-x 1 root other 56988 Mar 7 09:05 libsocket.so.1 > > server1:/opt/named/dev ldd /opt/named/sbin/named-xfer > libl.so.1 => /usr/lib/libl.so.1 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libsocket.so.1 => /usr/lib/libsocket.so.1 > libc.so.1 => /usr/lib/libc.so.1 > libdl.so.1 => /usr/lib/libdl.so.1 > libmp.so.2 => /usr/lib/libmp.so.2 > /usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1 > > However, the truss still gives: > server1:/opt/named/dev truss -f chroot /opt/named /sbin/named-xfer > 19331: execve("/usr/sbin/chroot", 0xFFBEF5C4, 0xFFBEF5D4) argc = 3 > 19331: stat("/usr/sbin/chroot", 0xFFBEF2B8) = 0 > 19331: open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT > 19331: open("./libc.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/openwin/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/opt/SUNWits/Graphics-sw/xgl-3.0/lib/libc.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/5.0/SUNWspro/lib/libc.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/6.0/SUNWspro/lib/libc.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/lib/libc.so.1", O_RDONLY) = 3 > 19331: fstat(3, 0xFFBEF054) = 0 > 19331: mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF3A0000 > 19331: mmap(0x00000000, 778240, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF280000 > 19331: mmap(0xFF334000, 31832, PROT_READ|PROT_WRITE|PROT_EXEC, > MAP_PRIVATE|MAP_FIXED, 3, 671744) = 0xFF334000 > 19331: open("/dev/zero", O_RDONLY) = 4 > 19331: mmap(0xFF33C000, 5312, PROT_READ|PROT_WRITE|PROT_EXEC, > MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xFF33C000 > 19331: munmap(0xFF326000, 57344) = 0 > 19331: memcntl(0xFF280000, 131808, MC_ADVISE, 0x0003, 0, 0) = 0 > 19331: close(3) = 0 > 19331: open("./libdl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/openwin/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/opt/SUNWits/Graphics-sw/xgl-3.0/lib/libdl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/5.0/SUNWspro/lib/libdl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/6.0/SUNWspro/lib/libdl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/lib/libdl.so.1", O_RDONLY) = 3 > 19331: fstat(3, 0xFFBEF054) = 0 > 19331: mmap(0xFF3A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, > 3, 0) = 0xFF3A0000 > 19331: close(3) = 0 > 19331: open("/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1", O_RDONLY) = 3 > 19331: fstat(3, 0xFFBEEEBC) = 0 > 19331: mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF390000 > 19331: mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF380000 > 19331: close(3) = 0 > 19331: mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, > MAP_PRIVATE, 4, 0) = 0xFF370000 > 19331: close(4) = 0 > 19331: munmap(0xFF390000, 8192) = 0 > 19331: getuid() = 0 [0] > 19331: chroot("/opt/named") = 0 > 19331: chdir("/") = 0 > 19331: execve("/sbin/named-xfer", 0xFFBEF5CC, 0xFFBEF5D4) argc = 1 > 19331: stat("/sbin/named-xfer", 0xFFBEF2D0) = 0 > 19331: open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT > 19331: open("./libl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/openwin/lib/libl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/opt/SUNWits/Graphics-sw/xgl-3.0/lib/libl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/lib/libl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/5.0/SUNWspro/lib/libl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/6.0/SUNWspro/lib/libl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/lib/libl.so.1", O_RDONLY) = 3 > 19331: fstat(3, 0xFFBEF06C) = 0 > 19331: mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF3A0000 > 19331: mmap(0x00000000, 73728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF380000 > 19331: mmap(0xFF390000, 6588, PROT_READ|PROT_WRITE|PROT_EXEC, > MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000 > 19331: munmap(0xFF382000, 57344) = 0 > 19331: memcntl(0xFF380000, 3228, MC_ADVISE, 0x0003, 0, 0) = 0 > 19331: close(3) = 0 > 19331: open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/openwin/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/opt/SUNWits/Graphics-sw/xgl-3.0/lib/libnsl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/5.0/SUNWspro/lib/libnsl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/local/SUNWspro/6.0/SUNWspro/lib/libnsl.so.1", O_RDONLY) > Err#2 ENOENT > 19331: open("/usr/lib/libnsl.so.1", O_RDONLY) = 3 > 19331: fstat(3, 0xFFBEF06C) = 0 > 19331: mmap(0xFF3A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, > 3, 0) = 0xFF3A0000 > 19331: mmap(0x00000000, 663552, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = > 0xFF280000 > 19331: mmap(0xFF312000, 31176, PROT_READ|PROT_WRITE|PROT_EXEC, > MAP_PRIVATE|MAP_FIXED, 3, 532480) = 0xFF312000 > 19331: open("/dev/zero", O_RDONLY) Err#6 ENXIO > 19331: open("/dev/zero", O_RDONLY) Err#6 ENXIO > ld.so.1: internal: malloc failed19331: write(2, " l d . s o . 1 : i n > t".., 32) = 32 > > 19331: write(2, "\n", 1) = 1 > 19331: close(3) = 0 > 19331: getpid() = 19331 [19330] > 19331: *** process killed *** > > Everything works up until malloc() (I assume, according to the error > message) need to open /dev/zero and fails. According to the open() man > page, ENXIO happens if the device associated with the file doesn't exist, > which should not be the case... > > Any additional help greatly apprediated. > > > > On Wed, 7 Mar 2001, Christophe Dupre wrote: > > > > > Hi, > > I'm trying to configure bind 8.2.3 to run in a chrooted environment. Doing > > so for my primary server was relatively easy, but I'm unable to do so from > > my secondary as it need to be able to spawn named-xfer to transfer new > > zones from the primary. I was not able to staticaly compile named-xfer > > (multiply defined symbols) and even if I copy all the required library in > > the prison I still have problems with devices: I created /dev/null and > > /dev/zero by using mknod, so that I have: > > crw-rw-rw- 1 root root 13, 2 Mar 6 15:29 null > > crw-rw-rw- 1 root sys 13, 2 Mar 7 09:06 zero > > > > but when doing a truss of named-xfer in the chrooted environment I get: > > 16042: open("/dev/zero", O_RDONLY) Err#6 ENXIO > > 16042: open("/dev/zero", O_RDONLY) Err#6 ENXIO > > ld.so.1: internal: malloc failed16042: write(2, " l d . s o . 1 : i n > > t".., 32) = 32 > > > > > > Any clue on how to completely chroot named ? > > > > > > -- > > Christophe Dupre > > System Administrator, Scientific Computation Research Center > > Rensselaer Polytechnic Institute > > Troy, NY USA > > Phone: (518) 276-2578 - Fax: (518) 276-4886 > > > > _______________________________________________ > > sunmanagers mailing list > > sunmanagers@sunmanagers.org > > http://www.sunmanagers.org/mailman/listinfo/sunmanagers > > > > > -- > Christophe Dupre > System Administrator, Scientific Computation Research Center > Rensselaer Polytechnic Institute > Troy, NY USA > Phone: (518) 276-2578 - Fax: (518) 276-4886 > > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers > -- Christophe Dupre System Administrator, Scientific Computation Research Center Rensselaer Polytechnic Institute Troy, NY USA Phone: (518) 276-2578 - Fax: (518) 276-4886Received on Wed Jun 13 22:08:40 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:57 EDT