Eric B.
2008-Jan-14 03:26 UTC
[CentOS] What libs req'd to resolve DNS within a chroot jail?
Hi, I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they only work properly if I provide IP addresses. If I use FQDN, they fail. For instance, in hosts.allow: in.tfptd: 192.168.1.101 allow works fine But the following fails in.tftptd: eric.test.com allow I'm assuming I am missing a library/libraries in my chroot jail, but am not sure which ones. I've got all the libs req'd by ldd, but I am guessing there is something else that I am missing. Any suggestions? Thanks! Eric
Eric B.
2008-Jan-14 17:54 UTC
[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?
> > > > I've been working at getting a tftp server up an running in a > > chroot jail, and I have finally succeed getting almost everything > > working. The server itself works fine, however, it is implemented > > as a tcpwrapper application (ie: in.tftpd) and I am having trouble > > getting it to resolve DNS names. I copied my /etc/hosts.allow and > > /etc/hosts.deny in my chroot/etc folder, however, they only work > > properly if I provide IP addresses. If I use FQDN, they fail. > > > > For instance, in hosts.allow: > > in.tfptd: 192.168.1.101 allow > > > > works fine > > > > But the following fails > > in.tftptd: eric.test.com allow > > > > > > I'm assuming I am missing a library/libraries in my chroot jail, > > but am not sure which ones. I've got all the libs req'd by ldd, > > but I am guessing there is something else that I am missing. > > > ---------- End Original Message ---------- > > from a security standpoint i don't think you want to control access > by fqdn. > the name being given access is based on the inverse-map lookup > (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so, > this isn't controlled by the keepers of the "test.com" zone, rather, > anyone can set up "eric.test.com" as an inverse entry for an ipnumber > for which they control the in-addr.arpa records. > > i.e., putting an fqdn in the hosts.allow file only gives security by > obscurity. if someone figures out the fqdns that you're giving access > to, and has control of the in-addr.arpa for an ipnumber range they > can connect from, they can gain access to your system. > > - RickThanks for the feedback Rick. I didn't realize that security implication. However I'm already running this on a machine that is heavily firewalled on a VPN so I am fairly sure that no one will be accessing this externally, but I still would like to restrict access to particular machines. Ideally, would rather use FQDN to make life easier for me to administer. I have created my additional reverse-dns pointer but I am still having problems with it. nslookup from the server gives me: # nslookup 192.168.3.103 Server: 192.168.1.67 Address: 192.168.1.67#53 103.3.168.192.in-addr.arpa name = eric.test.com.3.168.192.in-addr.arpa. However, when I try to connect to the tftp server, my connection is still refused, and I get the following in the log msgs: Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 192.168.103.103 I am obviously doing something still incorrect, but not sure what. Can you help point me in the right direction please? Is my reverse DNS incorrectly set up? Thanks, Eric