[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot'd named & dpkg-sources

On Sun, Nov 19, 2000 at 02:46:32AM -0500, Patrick Dahiroc wrote:
> hi all
> i just found that there was a new exploit for bind.  i just also
> finished reading Chroot-BIND HOWTO.  this might be a good time to
> apply what i've learned.  i've already created my 'named' system user
> acct with a /bin/false shell and /chroot/named home directory.  i've
> copied the contents of /etc/bind/* to /chroot/named/etc/bind, created
> /chroot/named/dev/null and modified the syslogd init file.
> now i'm ready to compile the bind source code, which i downloaded did
> by doing 'apt-get source'.  now i have a bind_*.dsc, bind_*.tar.gz,
> bind_*.diff.gz, and a bind-* directory.
> do i still have to run 'dpkg-source -x bind_*.dsc' or are the contents 
> of the bind-* directory the output of dpkg-source?
> if i edit some of the file in the bind-* directory. is it ok for me to 
> run 'dpkg-buildpackage; dpkg --install *.deb'?

i found it was simpler to just copy the bind binaries along with libc
into the chroot jail then to mess with recompiling it staticly.  i
modifed the initscript to copy the needed files every time bind was
started.  this has the advantage that you use the standard debian bind
packages, and when debian upgrades them (to fix a new security hole)
your chrooted version is transparently upgraded (since the package
will restart named) 

here is the initscript i used.  note that your chroot environment
should be owned by root.named with 750/640 permissions on all
directories/files (except the libraries/binaries can be root.root
644/755).  bind only needs to write to /var/named/var/{run,tmp} and

i don't see any problem with /chroot/named instead of /var/named
except that its better to have bind living on a partition other then /
(you did make /var a seperate partition right?)



test -x /usr/sbin/named || exit 0

## setup chroot env.

/usr/bin/logger -i -s -p daemon.warn "bind chroot failed, bind not started"
return 1

if [ "$1" != reload ] ; then
umask 022
cp -fp /usr/sbin/named /var/named/usr/sbin/ || fail || exit 1
cp -fp /usr/sbin/named-xfer /var/named/usr/sbin || fail || exit 1
cp -fp /lib/libc.so.6 /var/named/lib || fail || exit 1
cp -fp /lib/ld-linux.so.2 /var/named/lib || fail || exit 1
cp -fp /etc/localtime /var/named/etc || fail || exit 1

test -x /var/named/usr/sbin/named || exit 1

ARGS="-u named -g named -t /var/named"

case "$1" in
	echo -n "Starting domain name service: named"
	start-stop-daemon --start --quiet --exec $DAEMON -- $ARGS
	echo "."	

	echo -n "Stopping domain name service: named"
	start-stop-daemon --stop --quiet --pidfile $PIDFILE 
	echo "."	

	$0 stop
	sleep 1
	$0 start
	/usr/sbin/ndc -c /var/named/var/run/ndc reload

        $0 restart

	echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
	exit 1

exit 0

Ethan Benson

Attachment: pgpuocbRYCTvu.pgp
Description: PGP signature

Reply to: