Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: why /proc filesystem in /var/lib/named ?

  1. #1

    Default why /proc filesystem in /var/lib/named ?

    Hi, in SuSE 11.1 since 2.6.27.23 kernel a /proc filesystem appeared in /var/lib/named. Do you know any reason, and/or how to get ride of it ? It may pose a risk to my domain. It my system under a serious attack ?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: why /proc filesystem in /var/lib/named ?

    Nothing to do with the kernel version and all to do with named running chrooted in /var/lib/named. Named obviously needs some entry in /proc to function and the way to provide that in a chroot environment is to bind mount /proc at the top of the chroot. You will see that a similar thing is done for ntpd in /var/lib/ntp.

  3. #3

    Default Re: why /proc filesystem in /var/lib/named ?

    Thank you Ken. Still one may ask what is the sense of chroot if one can access fs by /var/lib/named/proc/1/root !

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: why /proc filesystem in /var/lib/named ?

    Access ot /proc/1/root is still controlled by access permissions whether chrooted or not. What chroot does is remove casual access to the majority of the other files under /. Chroot is not a magic solve-all for security. It has to be combined with other measures. For example named runs as named, not root.

  5. #5

    Default Re: why /proc filesystem in /var/lib/named ?

    What do you mean with "casual access to other files" ? Under prosc/1/root one can access all files as if there were no chroot at all. I see no gain with this named chroot at all !

  6. #6

    Default Re: why /proc filesystem in /var/lib/named ?

    You'll probably want Ken to clarify this a bit but IMO you're looking at it wrong. You need to be looking at it from the chroots point of view.

    [Root Tree] -> [chroot]

    You see it is one way, with some major over simplification and as Ken pointed out if you have the tools there is nothing stopping you [chroot[Root Tree]]. Think of it as a lobster basket once in you "Can't get out" but if outside it, you can do what you want.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  7. #7

    Default Re: why /proc filesystem in /var/lib/named ?

    Sorry, I don't undestand. With the former chrooted named version I couldn't access root files, with the current one I can do it.

  8. #8

    Default Re: why /proc filesystem in /var/lib/named ?

    You'll need Ken's input I have only some crude understanding of chrooting, I would guess the chrooting is being done for a reason.

    Now on some brief googling and due to lack of knowing where to look properly for this bind-chrootenv-9.5.0P2-18.1.i586 RPM I notice that the changelog has several references "... to change root jail."

    As for reasoning's you may need, Ken's input.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  9. #9
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: why /proc filesystem in /var/lib/named ?

    Quote Originally Posted by zlisiecki View Post
    Sorry, I don't undestand. With the former chrooted named version I couldn't access root files, with the current one I can do it.
    Yes, but so what? A non-root account will get permission denied if it tries to open those root files in /proc. The usual id based permission rules apply to files in /proc. Named is running as named, not root. If you do your experiments as root, you will get the wrong impression.

  10. #10

    Default Re: why /proc filesystem in /var/lib/named ?

    Quote Originally Posted by ken_yap View Post
    Yes, but so what?
    It's better not to simulate something, which the solution don't really offer and to run named without such chroot, or to go back to named version, which don't access /proc.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •