Weblog entry #1 for kroshka
(Quoting bind howto):
"The idea behind chroot is fairly simple. When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this document, we'll set BIND up to run chrooted to the directory /chroot/named. Well, to BIND, the contents of this directory will appear to be /, the root directory. Nothing outside this directory will be accessible to it. You've probably encounted a chroot jail before, if you've ever ftped into a public system."
"The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user."
The reason for compiling bind from source is because you need to change a few things in the makefiles so it will work. As an added benefit you get the most recent security and bug fixes.
This howto is an adaptation specifically for Debian of the one here: http://en.tldp.org/HOWTO/Chroot-BIND8-HOWTO.html.
In this case Debian sarge, but it should work on Etch and upwards. Please note this is specifically for bind8, it may work for bind9 with some adaptation. See: http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO.html
On the server, become root and execute all these commands:
echo 'named:x:200:200:Nameserver:/chroot/named:/bin/false' >> /etc/passwd echo 'named:x:200:' >> /etc/group mkdir /chroot mkdir /chroot/named mkdir /chroot/named/bin mkdir /chroot/named/dev mkdir /chroot/named/etc mkdir /chroot/named/lib mkdir /chroot/named/var mkdir /chroot/named/var/cache mkdir /chroot/named/var/run cp -pr /etc/bind/ /chroot/named/etc/ cd /chroot/named/etc ln -s bind/named.conf . cp -pr /var/cache/bind /chroot/named/var/cache/ chown -R named:named /chroot/named/var/cache/ chown named:named /chroot/named/var/run cd /chroot/named/lib cp -p /lib/libc-2.*.so . ln -s libc-2.*.so libc.so.6 cp -p /lib/ld-2.*.so . ln -s ld-2.*.so ld-linux.so.2 cp /sbin/ldconfig /chroot/named/bin/ chroot /chroot/named /bin/ldconfig -v mknod /chroot/named/dev/null c 1 3 cp /etc/localtime /chroot/named/etc/ echo 'named:x:200:' > /chroot/named/etc/group
vim /etc/init.d/sysklogd Change SYSLOGD="" into SYSLOGD="-a /chroot/named/dev/log"
/etc/init.d/sysklogd restartGet bind: http://www.isc.org/bind.html
vim src/port/linux/Makefile.set Change DESTRUN=/var/run to DESTRUN=/chroot/named/var/run You also might like to change pathnames to /usr/localEdit named.h:
vim src/bin/named/named.h Add #define _PATH_NDCSOCK "/var/run/ndc" right after #include "pathnames.h"
cd src make clean;make depend;make cp bin/named/named /chroot/named/bin cp bin/named-xfer/named-xfer /chroot/named/bin
To install, first remove bind and dnsutils:
apt-get remove bind apt-get remove dnsutils
To prevent non chroot named being run do (use /usr/sbin/named if you didn't change the paths in Makefile.set):
chmod 000 /usr/local/sbin/named
vim /etc/init.d/bind Change OPTIONS="" to OPTIONS="-u named -g named -t /chroot/named" Change each occurance of --pidfile /var/run/named.pid to --pidfile /chroot/named/var/run/named.pid Change paths to named this way /chroot/named/bin/named as opposed to /usr/sbin/named And if you changed /usr/xxx to /usr/local/xxx in Makefile.set: Change test -x /usr/sbin/ndc || exit 0 to test -x /usr/local/sbin/ndc || exit 0 Change /usr/sbin/ndc reload to /usr/local/sbin/ndc reload
vim /chroot/named/etc/bind/named.conf.options Add this pid-file "/var/run/named.pid"; and named-xfer "/bin/named-xfer";Execute:
/etc/init.d/bind restartCheck /var/run/log/deamon.log or something to see if all went well...
Comments on this Entry