[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot bind in debian



On Wed, Jul 26, 2000 at 05:11:58PM +0300, Pavel M. Penev wrote:
> 
> No other documentation than dpkg(8) and chroot(8) :). I myself have been
> running bind in a chroot-ed environment (it really had a nasty security
> hole). What I did was:
> 
> 	1. cd to the chroot point
> 	2. tar xvfz
> <debian_dist_dir>/debian/dists/stable/main/disks-i386/current/base2_1.tgz
> 	3. dpkg --instdir=<chroot_point> -G -i bind_<...>
> 	And then set up some other utilities needed by bind
> (e.g. sendmail, (ana)cron, ...).

what?!  bind needs sendmail and cron?  thats news to me.

you don't need NEARY as much crud in your chroot jail as you have
done, all you need is the following:

add a user and group named uid/gid 104 or so. 

/var/named mode root.named 0750
/var/named/dev mode root.root 0755
/var/named/dev/null mode root.root 0666

/var/named/dev/log (do this by changing SYSLOGD="" to SYSLOGD="-a
/var/named/dev/log" in /etc/init.d/sysklogd)

/var/named/var/ mode root.root 755
/var/named/var/tmp mode 1770 root.named
/var/named/var/cache mode root.root 755
/var/named/var/cache/bind mode 1770 root.named
/var/named/var/run mode root.named 0770
/var/named/etc mode root.root 0755
/var/named/etc/bind mode root.named 0750
/var/named/etc/localtime mode root.root 0644
/var/named/usr mode root.root 0755
/var/named/usr/sbin mode root.root 0755
/var/named/usr/sbin/named mode root.root 0755
/var/named/usr/sbin/named-xfer mode root.root 0755
/var/named/lib mode root.root 0755
/var/named/lib/ld-linux.so.2 mode root.root 0755
/var/named/lib/libc.so.6 mode root.root 0755

i also rewrote the bind initscript to automatically update the chroot
environment, that way when the debian bind (or libc) package is
upgraded and bind is restarted the updated binaries are copied into
the chroot jail.  i also run it as named.named instead of root.root of
course.

i had to rewrite the stop part of the initscript since
start-stop-daemon is funny about chrooted processes.

and ndc cannot seem to restart bind properly when chrooted, it always
ends up running as root, non-chrooted. 

i have been running this configuration for a couple months now with no
problems.  

--- /etc/init.d/bind	Sat Nov 27 13:25:50 1999
+++ bind	Thu Jul 27 21:00:21 2000
@@ -4,26 +4,61 @@
 
 test -x /usr/sbin/named || exit 0
 
+## set resource limits
+
+ulimit -d 8192
+ulimit -l 4096
+ulimit -m 16384
+ulimit -n 80
+ulimit -s 8192
+ulimit -u 30
+ulimit -v 16384
+ulimit -c 0
+
+## setup chroot env.
+
+fail()
+{
+/usr/bin/logger -i -s -p daemon.warn "bind chroot failed, bind not started"
+return 1
+}
+
+if [ "$1" != reload ] ; then
+umask 022
+cp -fp /usr/sbin/named /var/named/usr/sbin/ || fail || exit 1
+cp -fp /usr/sbin/named-xfer /var/named/usr/sbin || fail || exit 1
+cp -fp /lib/libc.so.6 /var/named/lib || fail || exit 1
+cp -fp /lib/ld-linux.so.2 /var/named/lib || fail || exit 1
+cp -fp /etc/localtime /var/named/etc || fail || exit 1
+fi
+
+test -x /var/named/usr/sbin/named || exit 1
+
+DAEMON="/var/named/usr/sbin/named"
+ARGS="-u named -g named -t /var/named"
+PIDFILE="/var/named/var/run/named.pid"
+
 case "$1" in
     start)
 	echo -n "Starting domain name service: named"
-	start-stop-daemon --start --quiet --exec /usr/sbin/named 
+	start-stop-daemon --start --quiet --exec $DAEMON -- $ARGS
 	echo "."	
     ;;
 
     stop)
 	echo -n "Stopping domain name service: named"
-	start-stop-daemon --stop --quiet  \
-	    --pidfile /var/run/named.pid --exec /usr/sbin/named
+	start-stop-daemon --stop --quiet --pidfile $PIDFILE 
 	echo "."	
     ;;
 
     restart)
-	/usr/sbin/ndc restart
+	$0 stop
+	sleep 1
+	$0 start
     ;;
     
     reload)
-	/usr/sbin/ndc reload
+	/usr/sbin/ndc -c /var/named/var/run/ndc reload
     ;;
 
     force-reload)
@@ -37,3 +72,4 @@
 esac
 
 exit 0
+

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpJxKKW4Q_lV.pgp
Description: PGP signature


Reply to: