Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Starting named: /bin/chown: cannot access `/var/named/run-root/var/named': No such file or directory Error in named configuration: none:0: open: /etc/named.conf: file not found [FAILED]
the server was already running for quite time now so i really have no idea what it has on it
Actually i've problems with bind, i don't have much knowledge on how to install it.
I;ve always use the name servers that provides the domain sellers...
Are you trying to run Bind 'chrooted'? (Chrooting is more difficult to set up initially for the uninitiated, but is potentially more secure.)
One common problem with running chrooted is that all path are relative to the chroot directory and it is the files relative to this path that the permissions have to be correct.
Have you tried running from the command line so you can see all of the error messages?
And I'm not sure what you are trying to achieve - you want to run bind for apache but is this serving internal clients only or are you trying to create a web site for external clients (as well)? Hosting a web site for the outside world is not something to be taken lightly.
(Chrooting is more difficult to set up initially for the uninitiated, but is potentially more secure.)
chroot being more secure is a usual misconception. Sure it's one more tedious task that frustrates a possible cracker but most don't realize that if someone gains unauthorized access to a system, most of the time they somehow manage to become root and chroot really doesn't apply at that point as it's easy to circumvent around the chroot'd environment setup.
Just thought I'd throw that out there for anyone that wasn't aware.
When BIND runs chroot'd it revokes it's privileges, so yes, chrooting BIND is more secure.
Yeah but if someone gains access as root user, what's preventing them from reconfiguring, that's the whole point, not just BIND related vulnerabilities, etc.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well if they gained root, they wouldn't have done it through BIND... the whole point of putting BIND in a chroot is that if someone manages to compromise BIND they won't get root.
Well if they gained root, they wouldn't have done it through BIND... the whole point of putting BIND in a chroot is that if someone manages to compromise BIND they won't get root.
Understood, I was just trying to present those that believe chroot is a full way of securing a service, etc. I've met people who thought otherwise.
I'm slightly baffled why you would bring that up since it's irrelevant in this case.
I replied specifically to #2 as I quoted the specifics in my post #4, that's why it was brought up cause I don't believe chroot makes it any more secure in most cases. I'm just sharing information for crying out loud, geez!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
And I'm pointing out that in the case of BIND, which is what the OP is actually trying to chroot, it does make a difference, so don't discourage them from setting up their service securely. Maybe other services run as root inside their chroot, but BIND does not.
Any way, to the OP, have you tried
Code:
# mkdir -p /var/named/run-root/var/named
?
PS What OS are you setting this up on? Centos doesn't create a /var/named/run-root by default.
And I'm pointing out that in the case of BIND, which is what the OP is actually trying to chroot, it does make a difference, so don't discourage them from setting up their service securely. Maybe other services run as root inside their chroot, but BIND does not.
I'm not trying to discourage as I wasn't quoting the OP, but the first responder and their "potentially more secure" quote as I feel chroot is not a security tool, it's not what it was intended for. It's almost like security through obscurity in a sense.
Okay, I'm done, let's move on now, sorry I brought up the information, I'll keep such info to myself now instead of maybe sharing info that some might benefit from knowing that chroot isn't a total fool proof way to secure a service or a machine.
I'm not trying to discourage as I wasn't quoting the OP, but the first responder and their "potentially more secure" quote as I feel chroot is not a security tool, it's not what it was intended for. It's almost like security through obscurity in a sense.
I'm sticking with 'potentially more secure'. At no point did I claim that chroot was a security tool, per se, just that bind was potentially more secure set up that way. Its not the be-all and end-all of security, but no one thing ever is and it can be somewhat helpful in certain circumstances. And I was trying to avoid confusing the OP with too much detail that I was concerned that would just confuse... that turned out not to be at all helpful, so I am sorry for that.
the usual problems with a chrooted installation are:
The set of files that need to be duplicated to the new chrooted location aren't all there
Permissions. The effective user (the user that Bind runs as, once it has thrown off root permissions) needs to have appropriate permissions. that can be read and write access to files or it can be access to directories.
This is easier if you can log in as the effective user, but you need to look at the error messages one by one, find out whether it is file permissions or directory permissions that have caused it, and put it right. You may even have to 'touch' the odd file to bring it into existence so that Bind can then modify them. But that's it for getting Bind running.
At no point did I claim that chroot was a security tool, per se, just that bind was potentially more secure set up that way. Its not the be-all and end-all of security, but no one thing ever is and it can be somewhat helpful in certain circumstances.
Understood and I wasn't making any claims that you were saying otherwise. I simply wanted to point out to anyone reading this thread that chroot is not a fool proof security tool. When I reply to a post in this type of sense, I'm not directing it at anyone, I'm speaking to potentially all members and guests on this site.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
