Weblog entry #1 for kroshka

See all weblog entries made by kroshka.

XML logo

#1
Create "chroot jail" for bind
Posted by kroshka on Thu 12 Apr 2007 at 21:07
Tags: , ,
This article will explain how to create a chroot jail for bind8. This effectively makes bind obliviuos to the rest of the (file)system beyond it's chroot directory tree. Therefore security will be increased, because if bind due to some crack attempt allows shell access one can not go beyond the chroot environment.

(Quoting bind howto):
"The idea behind chroot is fairly simple. When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this document, we'll set BIND up to run chrooted to the directory /chroot/named. Well, to BIND, the contents of this directory will appear to be /, the root directory. Nothing outside this directory will be accessible to it. You've probably encounted a chroot jail before, if you've ever ftped into a public system."

"The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user."

The reason for compiling bind from source is because you need to change a few things in the makefiles so it will work. As an added benefit you get the most recent security and bug fixes.

This howto is an adaptation specifically for Debian of the one here: http://en.tldp.org/HOWTO/Chroot-BIND8-HOWTO.html.
In this case Debian sarge, but it should work on Etch and upwards. Please note this is specifically for bind8, it may work for bind9 with some adaptation. See: http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO.html

On the server, become root and execute all these commands: 

echo 'named:x:200:200:Nameserver:/chroot/named:/bin/false' >> /etc/passwd
echo 'named:x:200:' >> /etc/group
mkdir /chroot
mkdir /chroot/named
mkdir /chroot/named/bin
mkdir /chroot/named/dev
mkdir /chroot/named/etc
mkdir /chroot/named/lib
mkdir /chroot/named/var
mkdir /chroot/named/var/cache
mkdir /chroot/named/var/run
cp -pr /etc/bind/ /chroot/named/etc/
cd /chroot/named/etc
ln -s bind/named.conf .
cp -pr /var/cache/bind /chroot/named/var/cache/
chown -R named:named /chroot/named/var/cache/
chown named:named /chroot/named/var/run
cd /chroot/named/lib
cp -p /lib/libc-2.*.so .
ln -s libc-2.*.so libc.so.6
cp -p /lib/ld-2.*.so .
ln -s ld-2.*.so ld-linux.so.2
cp /sbin/ldconfig /chroot/named/bin/
chroot /chroot/named /bin/ldconfig -v
mknod /chroot/named/dev/null c 1 3
cp /etc/localtime /chroot/named/etc/
echo 'named:x:200:' > /chroot/named/etc/group

Edit sysklogd: 

vim /etc/init.d/sysklogd
  Change SYSLOGD="" into SYSLOGD="-a /chroot/named/dev/log"

Restart sysklogd: 

/etc/init.d/sysklogd restart
Get bind: http://www.isc.org/bind.html

Untar tarball

Edit Makefile.set: 

vim src/port/linux/Makefile.set
  Change DESTRUN=/var/run to DESTRUN=/chroot/named/var/run
You also might like to change pathnames to /usr/local
Edit named.h: 
vim src/bin/named/named.h
  Add #define _PATH_NDCSOCK "/var/run/ndc" right after #include "pathnames.h"

Execute: 

cd src
make clean;make depend;make
cp bin/named/named /chroot/named/bin
cp bin/named-xfer/named-xfer /chroot/named/bin

To install, first remove bind and dnsutils: 

apt-get remove bind
apt-get remove dnsutils

Then: 

make install

To prevent non chroot named being run do (use /usr/sbin/named if you didn't change the paths in Makefile.set): 

chmod 000 /usr/local/sbin/named

Edit /etc/init.d/bind: 

vim /etc/init.d/bind
  Change OPTIONS="" to OPTIONS="-u named -g named -t /chroot/named"
  Change each occurance of --pidfile /var/run/named.pid to --pidfile /chroot/named/var/run/named.pid
  Change paths to named this way /chroot/named/bin/named as opposed to /usr/sbin/named

  And if you changed /usr/xxx to /usr/local/xxx in Makefile.set:
    Change test -x /usr/sbin/ndc || exit 0 to test -x /usr/local/sbin/ndc || exit 0
    Change /usr/sbin/ndc reload to /usr/local/sbin/ndc reload

Edit named.config.options: 

vim /chroot/named/etc/bind/named.conf.options
  Add this pid-file "/var/run/named.pid"; and named-xfer "/bin/named-xfer";
Execute: 
/etc/init.d/bind restart
Check /var/run/log/deamon.log or something to see if all went well...
And enjoy...
[ 3 Comments | Add Comment | XML logo ]

 

Comments on this Entry

#1
Re: Create "chroot jail" for bind
Posted by simonw (84.45.xx.xx) on Sat 14 Apr 2007 at 11:49
[ Send Message | View Weblogs ]
I'm curious, why do you still use Bind8?

Bind9 has a superior security record, a chroot system built into the it.

Historically there was a performance advantage to BIND8 for heavily loaded sites, but I suspect this is long gone (with hyperthreading and such like, you'd have to do extra work to make BIND8 compete), and very few DNS servers are CPU bound.

[ Parent | Reply to this comment ]

#2
Re: Create "chroot jail" for bind
Posted by kroshka (66.252.xx.xx) on Mon 16 Apr 2007 at 19:42
[ Send Message | View Weblogs ]
Because the servers I am maintaining are running bind8. I wasn't sure about the implications of changing to bind9, so I decided stick with bind8 (why fix which is not broken etc. :-) for the time being. The source is still receiving updates. I guess once the source will not be receiving updates anymore I'd switch. But that may be years from now, I don't know.

[ Parent | Reply to this comment ]

#3
Re: Create "chroot jail" for bind
Posted by simonw (84.45.xx.xx) on Mon 16 Apr 2007 at 19:50
[ Send Message | View Weblogs ]
The only down side I can think of, is that BIND9 enforces the restriction on duplicated CNAMEs, I can't recall off hand when or if BIND8 enforces this.

BIND9 is also stricter about certain errors in zone files, but I see that as a bonus, you really don't want subtly broken DNS config files lurking.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search