Create "chroot jail" for bind

Posted by kroshka on Wed 18 Apr 2007 at 12:30

Tags: , , ,
This article will explain how to create a chroot jail for bind8. This effectively makes bind oblivious to the rest of the (file)system beyond it's chroot directory tree. Therefore security will be increased, because if bind due to some crack attempt allows shell access one can not go beyond the chroot environment.

(Quoting bind howto):
"The idea behind chroot is fairly simple. When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this document, we'll set BIND up to run chrooted to the directory /chroot/named. Well, to BIND, the contents of this directory will appear to be /, the root directory. Nothing outside this directory will be accessible to it. You've probably encounted a chroot jail before, if you've ever ftped into a public system."

"The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user."

The reason for compiling bind from source is because you need to change a few things in the makefiles so it will work. As an added benefit you get the most recent security and bug fixes.

This howto is an adaptation specifically for Debian of the one here: http://en.tldp.org/HOWTO/Chroot-BIND8-HOWTO.html.
In this case Debian sarge, but it should work on Etch and upwards. Please note this is specifically for bind8, it may work for bind9 with some adaptation. See: http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO.html

On the server, become root and execute all these commands: 

echo 'named:x:200:200:Nameserver:/chroot/named:/bin/false' >> /etc/passwd
echo 'named:x:200:' >> /etc/group
mkdir /chroot
mkdir /chroot/named
mkdir /chroot/named/bin
mkdir /chroot/named/dev
mkdir /chroot/named/etc
mkdir /chroot/named/lib
mkdir /chroot/named/var
mkdir /chroot/named/var/cache
mkdir /chroot/named/var/run
cp -pr /etc/bind/ /chroot/named/etc/
cd /chroot/named/etc
ln -s bind/named.conf .
cp -pr /var/cache/bind /chroot/named/var/cache/
chown -R named:named /chroot/named/var/cache/
chown named:named /chroot/named/var/run
cd /chroot/named/lib
cp -p /lib/libc-2.*.so .
ln -s libc-2.*.so libc.so.6
cp -p /lib/ld-2.*.so .
ln -s ld-2.*.so ld-linux.so.2
cp /sbin/ldconfig /chroot/named/bin/
chroot /chroot/named /bin/ldconfig -v
mknod /chroot/named/dev/null c 1 3
cp /etc/localtime /chroot/named/etc/
echo 'named:x:200:' > /chroot/named/etc/group

Edit sysklogd: 

vim /etc/init.d/sysklogd
  Change SYSLOGD="" into SYSLOGD="-a /chroot/named/dev/log"

Restart sysklogd: 

/etc/init.d/sysklogd restart
Get bind: http://www.isc.org/bind.html

Untar tarball

Edit Makefile.set: 

vim src/port/linux/Makefile.set
  Change DESTRUN=/var/run to DESTRUN=/chroot/named/var/run
You also might like to change pathnames to /usr/local
Edit named.h: 
vim src/bin/named/named.h
  Add #define _PATH_NDCSOCK "/var/run/ndc" right after #include "pathnames.h"

Execute: 

cd src
make clean;make depend;make
cp bin/named/named /chroot/named/bin
cp bin/named-xfer/named-xfer /chroot/named/bin

To install, first remove bind and dnsutils: 

apt-get remove bind
apt-get remove dnsutils

Then: 

make install

To prevent non chroot named being run do (use /usr/sbin/named if you didn't change the paths in Makefile.set): 

chmod 000 /usr/local/sbin/named

Edit /etc/init.d/bind: 

vim /etc/init.d/bind
  Change OPTIONS="" to OPTIONS="-u named -g named -t /chroot/named"
  Change each occurance of --pidfile /var/run/named.pid to --pidfile /chroot/named/var/run/named.pid
  Change paths to named this way /chroot/named/bin/named as opposed to /usr/sbin/named

  And if you changed /usr/xxx to /usr/local/xxx in Makefile.set:
    Change test -x /usr/sbin/ndc || exit 0 to test -x /usr/local/sbin/ndc || exit 0
    Change /usr/sbin/ndc reload to /usr/local/sbin/ndc reload

Edit named.config.options: 

vim /chroot/named/etc/bind/named.conf.options
  Add this pid-file "/var/run/named.pid"; and named-xfer "/bin/named-xfer";
Execute: 
/etc/init.d/bind restart
Check /var/run/log/deamon.log or something to see if all went well...
And enjoy...
Add Comment XML logo Printable version

 

<<< Country-based packet filtering with iptables Which control panel(s) do you use? >>>

 

 

#
Re: Create "chroot jail" for bind
Posted by randallb (68.45.xx.xx) on Thu 19 Apr 2007 at 17:21
[ Send Message ]
We run BIND 9 in a chroot from the Debian packages, no compiling necessary. Setting it up was pretty simple too. There's a howto at http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html

So unless you specifically need BIND 8 instead of 9, I would suggest anyone interested in chrooting BIND to use BIND 9 instead.

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by kroshka (66.252.xx.xx) on Thu 19 Apr 2007 at 19:01
[ Send Message | View Weblogs ]
I do agree. It's just that the servers here are running bind8 and I didn't feel like updating to bind9 (why fix something which isn't broken). Also bind8 sources are still being maintained.

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by Anonymous (213.211.xx.xx) on Thu 19 Apr 2007 at 21:26
You might want to consider to use Jailkit to create the chroot jail. It has utilities that automate the process to create a safe chroot jail. With a proper configured jailkit install you can do this whole process in just 3 commands. See http://olivier.sessink.nl/jailkit/

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by Anonymous (89.174.xx.xx) on Thu 19 Apr 2007 at 23:42
Hello

Thx kroshka, but what abou this tutorial:

http://www.falkotimme.com/howtos/debian_bind_chroot

What do you think about this?
I've made few servers according above link

--
Best regards

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by Anonymous (66.252.xx.xx) on Sat 21 Apr 2007 at 02:24
Thanks for the pointer, I will check out jailkit.

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by yarikoptic (69.115.xx.xx) on Sat 21 Apr 2007 at 00:48
[ Send Message ]

It is possible to escape chroot. You should better look at strengthed solutions (getting closer to virtualization) such as vserver.

There is vserver enabled kernels within standard debian distribution and there are vserver-debiantools which would help you to bootstrap such one in a matter of a single command line.

I myself run a few of vservers on a single box -- 1 per service -- apache (still sarge), smtp (etch + bits from sid), mysql (still sarge), etc...

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by kroshka (66.252.xx.xx) on Sat 21 Apr 2007 at 02:26
[ Send Message | View Weblogs ]
Thanks for the information. I understand it is still possible to escape chroot, but at least it provides an extra hurdle. I'll certainly look into using a vserver.

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by Anonymous (213.211.xx.xx) on Sun 22 Apr 2007 at 20:49
Only processes that are not jailed correctly (for example they have file descriptors open to a directory outside of the jail) or processes that run as root can escape from a jail.

A tool like jk_chrootlaunch from Jailkit can do this for you: close all file descriptors, and change to a non-priviledged user after the chroot but before starting the daemon.

[ Parent | Reply to this comment ]

#
Re: Create "chroot jail" for bind
Posted by Anonymous (63.204.xx.xx) on Tue 9 Oct 2007 at 18:26
More on chroot abuse:

http://kerneltrap.org/Linux/Abusing_chroot

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Your version control software of choice is




( 824 votes ~ 9 comments )