Re: chroot bind?

To: debian-devel@lists.debian.org
Subject: Re: chroot bind?
From: Ethan Benson <erbenson@alaska.net>
Date: Sun, 22 Apr 2001 03:14:19 -0800
Message-id: <[🔎] 20010422031419.A17286@plato.local.lan>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010422205044.A29346@thunder.kiwa.co.nz>; from nic@plumtree.co.nz on Sun, Apr 22, 2001 at 08:50:45PM +1200
References: <[🔎] 20010421221753.A2776@insomia17> <[🔎] Pine.LNX.4.32.0104211748450.10711-100000@jyoti.braincells.com> <[🔎] 20010422205044.A29346@thunder.kiwa.co.nz>

On Sun, Apr 22, 2001 at 08:50:45PM +1200, nic@plumtree.co.nz wrote:
> 
> 
> Just two questions:
> 
> i) Is there any reason why you decided to include the named binaries in
> the chroot?  

you have to have at least named-xfer.  

> There is no need for them to be there, since named does the chroot
> internal.  In fact this might represent a security hole.

yes there is.  

> Consider some manages to break named and get access to the chroot
> enviroment.  The manage to upload a trojaned vesion of the named binary
> somehow.  The server boots and the system is wide open.  

not if you setup the chroot jail with correct permissions.  ie NOT
chown -R named.named /var/named.  the ONLY part of the chroot jail
that should be writable by named is var/tmp and var/cache/bind (and i
think var/run has to be too).  everything else including the config
files, and binaries/libraries and the directories they live in should
be owned by root and readonly to all others.

> This _might_ create a false sense of security.  

chroot isn't a panacea but it certainly is an improvment.  

> 
> If chroot chroot ;) was used (from an external location to the chroot) or
> named was called say from '/use/sbin/named -t /var/secure-bind' then of
> course this is not an issue.  Since the binary that creates the chroot
> is not in the chroot itself.

the way i do it is the initscript replaces the binaries in the chroot
jail before starting them, this way the mainline bind package can
get upgraded to fix a security hole and the chroot is upgraded
automatically.  the binaries in the chroot jail are only writable by
root, and of course named does not run as root.  (chrooted named
running as root is completely pointless).  

> ii)  Is there a particular reason to use /var/secure-bind rather than
> say /var/named which seems to be some what of an informal default.
> 
> I'm going to ask on the FHS mailing list about their thoughts on chroot
> enviroments and how it might fit in FHS policy.

it certainly would be useful to have some standard setup for this kind
of thing.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpsfISBgSrRb.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: chroot bind?
  - From: Marco d'Itri <md@Linux.IT>

References:
- Re: chroot bind?
  - From: Yotam Rubin <yotam@makif.omer.k12.il>
- Re: chroot bind?
  - From: "Jaldhar H. Vyas" <jaldhar@debian.org>
- Re: chroot bind?
  - From: nic@plumtree.co.nz

Prev by Date: Re: kernel-{image,headers} package bloat
Next by Date: Re: kernel-{image,headers} package bloat
Previous by thread: Re: chroot bind?
Next by thread: Re: chroot bind?
Index(es):
- Date
- Thread