发现RedHat Linux Advanced Server 4里面有一个bind-chroot包，看来是让bind9跑在chroot下的。

那么如何判断bind9在chroot下工作的呢？

 

以前用debian下的bind9做域名的时候，也问了，好像没有答案。

 

找了下，发现没有新的发现。找了下以前的资料，发现原来记录下这么一段:

####################################################################################
http://cert.uni-stuttgart.de/archive/debian/security/2004/03/msg00241.html

 

#(注：这个网页我已经打不开了。。。。_|_)

 

use lsof
# lsof -p [pid number of bind process]
check:

- if the loaded libraries is in the chroot (by cheking the path and/or
the inode)
- if std in/out and err are connected inside the chroot to /dev/null
- there is only one socket to syslog (in the real world)

> OK, I was going to set up bind 9 on Woody and saw a note in the init.d file
> about options for a chroot jail.  TFM said you didn't need the shared
> libraries, but didn't say exactly what you _did_ need.  Anybody got a
> manifest/script/whathaveyou for setting this up?  I could figure it out the
> hard way, but... :)

Run named under strace and see which files it opens, stats, etc:
 strace -f /usr/sbin/named 2>&1 | grep 'open|stats|....'

Make sure you have those.  Also check which files are in use by
it with 'lsof -p process_id' and 'ldd /usr/sbin/named' to see
the shared libs needed, etc.  Check the files compiled into the

binary itself with 'strings /usr/sbin/named | grep /'

And then, when you're tired of all this, install DJBDNS instead.  ;-)
####################################################################################

找named对应的进行id号
# ps -fCnamed
UID        PID  PPID  C STIME TTY          TIME CMD
named     1729     1  0 Nov27 ?        00:00:04 /usr/sbin/named -u named -t /var/named/chroot

相应的id的root
# ls -l /proc/1729/root
lrwxrwxrwx  1 named named 0 Nov 29 10:21 /proc/1729/root -> /var/named/chroot
# ls -l /proc/1729/root/
total 24
drwxr-xr--    2 root named 4096 Nov  1 05:30 dev
drwxr-x---    2 root named 4096 Nov  1 05:30 etc
dr-xr-xr-x  157 root root     0 Nov 27 07:32 proc
drwxr-x---    5 root named 4096 Nov  1 05:30 var

看到没有，bind9的chroot是/var/named/chroot，它的root下面有dev etc prov var这些常用的，很熟悉的
目录。。。

# lsof -p 1729
COMMAND  PID  USER   FD   TYPE     DEVICE    SIZE    NODE NAME
named   1729 named  cwd    DIR        8,5    4096 2916360 /var/named/chroot/var/named
named   1729 named  rtd    DIR        8,5    4096 2916356 /var/named/chroot
named   1729 named  txt    REG        8,2  287084  764733 /usr/sbin/named
named   1729 named  mem    REG        8,2   97120 1192403 /lib/libnsl-2.3.4.so
named   1729 named  mem    REG        8,2  107800 1192395 /lib/tls/libpthread-2.3.4.so
named   1729 named  mem    REG        8,2   82944  764756 /usr/lib/libgssapi_krb5.so.2.2
named   1729 named  mem    REG        8,2   63624  764741 /usr/lib/libz.so.1.2.1.2
named   1729 named  mem    REG        8,2    7004 1192400 /lib/libcom_err.so.2.1
named   1729 named  mem    REG        8,2   81120 1192397 /lib/libresolv-2.3.4.so
named   1729 named  mem    REG        8,2   47404 1191410 /lib/libnss_files-2.3.4.so
named   1729 named  mem    REG        8,2   16732 1192394 /lib/libdl-2.3.4.so
named   1729 named  mem    REG        8,2   25460  758093 /usr/lib/libisccc.so.0.1.0
named   1729 named  mem    REG        8,2 1529008 1192392 /lib/tls/libc-2.3.4.so
named   1729 named  mem    REG        8,2   57252  758097 /usr/lib/libisccfg.so.0.0.11
named   1729 named  mem    REG        8,2   59684  758101 /usr/lib/liblwres.so.1.1.2
named   1729 named  mem    REG        8,2  941024 1192401 /lib/libcrypto.so.0.9.7a
named   1729 named  mem    REG        8,2  112168 1192347 /lib/ld-2.3.4.so
named   1729 named  mem    REG        8,2  415188  764755 /usr/lib/libkrb5.so.3.2
named   1729 named  mem    REG        8,2  136016  761815 /usr/lib/libk5crypto.so.3.0
named   1729 named  mem    REG        8,2 1055504  758085 /usr/lib/libdns.so.16.0.0
named   1729 named  mem    REG        8,2  224764  758089 /usr/lib/libisc.so.7.1.5
named   1729 named    0u   CHR        1,3            2494 /dev/null
named   1729 named    1u   CHR        1,3            2494 /dev/null
named   1729 named    2u   CHR        1,3            2494 /dev/null
named   1729 named    3u  unix 0xec796880          313580 socket
named   1729 named    4u   CHR        1,3            2494 /dev/null
named   1729 named    5r  FIFO        0,7          313587 pipe
named   1729 named    7w  FIFO        0,7          313587 pipe
named   1729 named    8r   CHR        1,8         2916369 /var/named/chroot/dev/random
named   1729 named   20u  IPv4     313593             UDP localhost.localdomain:domain
named   1729 named   21u  IPv4     313594             TCP localhost.localdomain:domain (LISTEN)
named   1729 named   22u  IPv4     313595             UDP mail.xxxer.com:domain
named   1729 named   23u  IPv4     313596             TCP mail.xxxer.com:domain (LISTEN)
named   1729 named   24u  IPv4     313597             UDP *:32964
named   1729 named   25u  IPv6     313598             UDP *:32965
named   1729 named   26u  IPv4     313599             TCP localhost.localdomain:rndc (LISTEN)

对比一下ldd的结果:

#ldd /usr/sbin/named
        liblwres.so.1 => /usr/lib/liblwres.so.1 (0x00da7000)
        libdns.so.16 => /usr/lib/libdns.so.16 (0x00846000)
        libisccfg.so.0 => /usr/lib/libisccfg.so.0 (0x00cee000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x00230000)
        libisccc.so.0 => /usr/lib/libisccc.so.0 (0x00726000)
        libisc.so.7 => /usr/lib/libisc.so.7 (0x00c66000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00324000)
        libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00f19000)
        libc.so.6 => /lib/tls/libc.so.6 (0x0033a000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x001b0000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00111000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00bb7000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00d6f000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x005ab000)
        libdl.so.2 => /lib/libdl.so.2 (0x00c44000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00176000)
        /lib/ld-linux.so.2 (0x00498000)

 

然后再strace -f /usr/sbin/named 看看，，