UNBOUND on Solaris 10

Carl_Williams · December 5, 2008, 4:46pm

During my installation of UNBOUND on Solaris 10 I must make sure unbound

Can access entropy from inside the chroot.

On Linux this is very simple by using:

mount --bind -n /dev/random /etc/unbound/dev/random

mount --bind -n /dev/log /etc/unbound/dev/log

How may I do this on Solaris 10 as I don’t see that Solaris 10 has the –bind option to mount.

Carl

Ralf_Weber1 · December 5, 2008, 9:09pm

Moin!

During my installation of UNBOUND on Solaris 10 I must make sure unbound
Can access entropy from inside the chroot.

On Linux this is very simple by using:

mount --bind -n /dev/random /etc/unbound/dev/random
mount --bind -n /dev/log /etc/unbound/dev/log

How may I do this on Solaris 10 as I don’t see that Solaris 10 has the –bind option to mount.

Hmm as /dev/random just is a character device mknod should do. Check the major and minor numbers before doing this:
$ ls -l /devices/pseudo/random@0:random
crw-r--r-- 1 root sys 149, 0 Jun 5 2008 /devices/pseudo/random@0:random
$ ls -l /devices/pseudo/log@0:log
crw-r----- 1 root sys 21, 5 Jun 5 2008 /devices/pseudo/log@0:log
# mknod /etc/unbound/dev/random c 140 0
# mknod /etc/unbound/dev/log c 21 5
I haven't done this though, because I did found it much more convenient using the other Solaris security features to secure DNS servers. E.g running unbound in a solaris zone which mounts all binaries and library read-only, or allowing the user that runs the DNS server to bind to port 53, which allows it to run without ever becoming root.

http://mediacast.sun.com/users/Darren.Moffat/media/solaris10-security.pdf still gives a nice intro to this.

So long
-Ralf

Wouter · December 5, 2008, 9:13pm

Hi Carl,

It looks like you need to mknod device specials that you need.

# ls -lL /dev/log
crw-r----- 1 root sys 21, 5 Jun 9 14:46 /dev/log
# mknod /mychroot/dev/log c 21 5

Although the ln manual page says it can also hardlink special files, in
which case a simple hardlink ln command may also work.

on my solaris 11 system /dev/random is
crw-r--r-- 1 root sys 190, 0 Dec 5 22:08 /dev/random
mknod /mychroot/dev/random c 190 0

Best regards,
Wouter

Carl Williams wrote:

Carl_Williams · December 5, 2008, 9:48pm

Hi Wouter,

Thanks for your response. I am running Solaris 10 with Zones.
My Unbound is on its own Zone so "mknod" will not work on Solaris Zones.

Carl

Wouter · December 5, 2008, 10:14pm

Hi Carl,

You might be able to allow the device with zonecfg,
but I think solaris zones make chroot unnecessary.
(like what Ralf Weber is saying)

chroot: ""
turns off the chroot.

Best regards,
Wouter

Carl Williams wrote: