[CentOS] Re: Re: Re: Re: Re: Re: What libs req'dto resolveDNSwithinachrootjail?
Eric B.
ebenze at hotmail.com
Tue Jan 15 23:34:00 UTC 2008
>>>> Again, I have concerns that I might be missing something in
>>>> my chroot jail, but when I change my hosts.allow file to read
>>>> the following, it works fine.
>>>> in.tftpd: 192.168.3.103 : allow
>>>>
>>>> So I am utterly and totally confused. I keep thinking that
>>>> there must be something DNS related that I need in the chroot
>>>> jail that I am missing.
>>>> I do have a /chroot/tftpd/etc/resolv.conf with the nameserver
>>>> entry that points to the DNS server, and all files in my
>>>> /chroot/tftpd/etc dir are world readable. I also have a
>>>> /chroot/tftpd/etc/hosts file (that is pretty much empty -
>>>> just a line for 127.0.0.1).
>>>>
>>>> # ls -l /chroot/tftpd/etc
>>>> -rw-r--r-- 1 root root 148 Jan 14 17:53 hosts
>>>> -rw-r--r-- 1 root root 417 Jan 14 17:37 hosts.allow
>>>> -rw-r--r-- 1 root root 370 Jan 13 12:13 hosts.deny
>>>> -rw-r--r-- 1 root root 1267 Jan 12 21:43 localtime
>>>> -rw-r--r-- 1 root root 1686 Jan 12 15:50 nsswitch.conf
>>>> -rw-r--r-- 1 root root 86 Jan 14 17:52 resolv.conf
>>>> -rw-r--r-- 1 root root 20373 Jan 12 15:47 services
>>>>
>>>>
>>>> Is there anything else I need that I am missing? Either
>>>> config file or lib?
>>>>
>>>> Any suggestions of things I can try?
>>>>
>>>> Thanks,
>>>>
>>>> Eric
>>>>
>>> Something I found:
>>>
>>> 15.2.3.2. Access Control
>>>
>>> Option fields also allow administrators to explicitly allow or deny
>>> hosts in a single rule by adding the allow or deny directive as the
>>> final option.
>>>
>>> For instance, the following two rules allow SSH connections from
>>> client-1.example.com, but deny connections from client-2.example.com:
>>>
>>> sshd : client-1.example.com : allow
>>> sshd : client-2.example.com : deny
>>>
>>> By allowing access control on a per-rule basis, the option field allows
>>> administrators to consolidate all access rules into a single file:
>>> either hosts.allow or hosts.deny. Some consider this an easier way of
>>> organizing access rules.
>>>
>>> Conceivably, you could put all rules into one file (hosts.allow maybe).
>>> See if that helps..
>>
>> Just tried putting everything in the hosts.allow but didn't make any
>> difference. Tried also in the hosts.deny bu no success either.
>>
>> Where did you find that reference? What does 15.2.3.2 point to?
>>
>> Any other ideas / theories?
>>
> - make sure tftpd is really using the in.tftpd name (you said it works
> with IPs?)
Yes. It works with the IPs, so I am somewhat sure that the daemon name in
hosts.allow/deny is right and that I am editing the correct hosts.allow/deny
files. When I change the IP in those files, I get the responses that I
expect (either access allowed or denied).
> - make sure it does resolve the IP correctly. I have no idea how you could
> test this.
Me neither. That's the problem. I have no idea how I can test that the
daemon is resolving it properly.
> but what is the benefit in managing the zone file instead of hosts.*? I
> mean, since you put the IP in the DNS zone file, why not put it in
> hosts.*?
Looks like I prob. won't have a choice afterall. But was originally
thinking that it would neater and easier to read by have FQDN in teh hosts.*
file. Plus, it also means I only need to update things in one place (DNS)
if/when my server changes IPs.... Like this I would need to update DNS and
remember to update my hosts.* files....
Tx,
Eric
More information about the CentOS
mailing list