On Sun, Nov 19, 2000 at 02:46:32AM -0500, Patrick Dahiroc wrote: > hi all > > i just found that there was a new exploit for bind. i just also > finished reading Chroot-BIND HOWTO. this might be a good time to > apply what i've learned. i've already created my 'named' system user > acct with a /bin/false shell and /chroot/named home directory. i've > copied the contents of /etc/bind/* to /chroot/named/etc/bind, created > /chroot/named/dev/null and modified the syslogd init file. > > now i'm ready to compile the bind source code, which i downloaded did > by doing 'apt-get source'. now i have a bind_*.dsc, bind_*.tar.gz, > bind_*.diff.gz, and a bind-* directory. > > do i still have to run 'dpkg-source -x bind_*.dsc' or are the contents > of the bind-* directory the output of dpkg-source? > > if i edit some of the file in the bind-* directory. is it ok for me to > run 'dpkg-buildpackage; dpkg --install *.deb'? i found it was simpler to just copy the bind binaries along with libc into the chroot jail then to mess with recompiling it staticly. i modifed the initscript to copy the needed files every time bind was started. this has the advantage that you use the standard debian bind packages, and when debian upgrades them (to fix a new security hole) your chrooted version is transparently upgraded (since the package will restart named) here is the initscript i used. note that your chroot environment should be owned by root.named with 750/640 permissions on all directories/files (except the libraries/binaries can be root.root 644/755). bind only needs to write to /var/named/var/{run,tmp} and /var/named/var/cache/bind i don't see any problem with /chroot/named instead of /var/named except that its better to have bind living on a partition other then / (you did make /var a seperate partition right?) #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin test -x /usr/sbin/named || exit 0 ## setup chroot env. fail() { /usr/bin/logger -i -s -p daemon.warn "bind chroot failed, bind not started" return 1 } if [ "$1" != reload ] ; then umask 022 cp -fp /usr/sbin/named /var/named/usr/sbin/ || fail || exit 1 cp -fp /usr/sbin/named-xfer /var/named/usr/sbin || fail || exit 1 cp -fp /lib/libc.so.6 /var/named/lib || fail || exit 1 cp -fp /lib/ld-linux.so.2 /var/named/lib || fail || exit 1 cp -fp /etc/localtime /var/named/etc || fail || exit 1 fi test -x /var/named/usr/sbin/named || exit 1 DAEMON="/var/named/usr/sbin/named" ARGS="-u named -g named -t /var/named" PIDFILE="/var/named/var/run/named.pid" case "$1" in start) echo -n "Starting domain name service: named" start-stop-daemon --start --quiet --exec $DAEMON -- $ARGS echo "." ;; stop) echo -n "Stopping domain name service: named" start-stop-daemon --stop --quiet --pidfile $PIDFILE echo "." ;; restart) $0 stop sleep 1 $0 start ;; reload) /usr/sbin/ndc -c /var/named/var/run/ndc reload ;; force-reload) $0 restart ;; *) echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2 exit 1 ;; esac exit 0 -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpuocbRYCTvu.pgp
Description: PGP signature