Re: chroot'd named & dpkg-sources

To: debian-user@lists.debian.org
Subject: Re: chroot'd named & dpkg-sources
From: Ethan Benson <erbenson@alaska.net>
Date: Sat, 18 Nov 2000 23:14:02 -0900
Message-id: <[🔎] 20001118231402.D26377@plato.local.lan>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20001119024632.A32693@yakko>; from patd@dahiroc.net on Sun, Nov 19, 2000 at 02:46:32AM -0500
References: <[🔎] 20001119024632.A32693@yakko>

On Sun, Nov 19, 2000 at 02:46:32AM -0500, Patrick Dahiroc wrote:
> hi all
> 
> i just found that there was a new exploit for bind.  i just also
> finished reading Chroot-BIND HOWTO.  this might be a good time to
> apply what i've learned.  i've already created my 'named' system user
> acct with a /bin/false shell and /chroot/named home directory.  i've
> copied the contents of /etc/bind/* to /chroot/named/etc/bind, created
> /chroot/named/dev/null and modified the syslogd init file.
> 
> now i'm ready to compile the bind source code, which i downloaded did
> by doing 'apt-get source'.  now i have a bind_*.dsc, bind_*.tar.gz,
> bind_*.diff.gz, and a bind-* directory.
> 
> do i still have to run 'dpkg-source -x bind_*.dsc' or are the contents 
> of the bind-* directory the output of dpkg-source?
> 
> if i edit some of the file in the bind-* directory. is it ok for me to 
> run 'dpkg-buildpackage; dpkg --install *.deb'?

i found it was simpler to just copy the bind binaries along with libc
into the chroot jail then to mess with recompiling it staticly.  i
modifed the initscript to copy the needed files every time bind was
started.  this has the advantage that you use the standard debian bind
packages, and when debian upgrades them (to fix a new security hole)
your chrooted version is transparently upgraded (since the package
will restart named) 

here is the initscript i used.  note that your chroot environment
should be owned by root.named with 750/640 permissions on all
directories/files (except the libraries/binaries can be root.root
644/755).  bind only needs to write to /var/named/var/{run,tmp} and
/var/named/var/cache/bind

i don't see any problem with /chroot/named instead of /var/named
except that its better to have bind living on a partition other then /
(you did make /var a seperate partition right?)

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

test -x /usr/sbin/named || exit 0

## setup chroot env.

fail()
{
/usr/bin/logger -i -s -p daemon.warn "bind chroot failed, bind not started"
return 1
}

if [ "$1" != reload ] ; then
umask 022
cp -fp /usr/sbin/named /var/named/usr/sbin/ || fail || exit 1
cp -fp /usr/sbin/named-xfer /var/named/usr/sbin || fail || exit 1
cp -fp /lib/libc.so.6 /var/named/lib || fail || exit 1
cp -fp /lib/ld-linux.so.2 /var/named/lib || fail || exit 1
cp -fp /etc/localtime /var/named/etc || fail || exit 1
fi

test -x /var/named/usr/sbin/named || exit 1

DAEMON="/var/named/usr/sbin/named"
ARGS="-u named -g named -t /var/named"
PIDFILE="/var/named/var/run/named.pid"

case "$1" in
    start)
	echo -n "Starting domain name service: named"
	start-stop-daemon --start --quiet --exec $DAEMON -- $ARGS
	echo "."	
    ;;

    stop)
	echo -n "Stopping domain name service: named"
	start-stop-daemon --stop --quiet --pidfile $PIDFILE 
	echo "."	
    ;;

    restart)
	$0 stop
	sleep 1
	$0 start
    ;;
    
    reload)
	/usr/sbin/ndc -c /var/named/var/run/ndc reload
    ;;

    force-reload)
        $0 restart
    ;;

    *)
	echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
	exit 1
    ;;
esac

exit 0



-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpuocbRYCTvu.pgp
Description: PGP signature

Reply to:

References:
- chroot'd named & dpkg-sources
  - From: Patrick Dahiroc <patd@dahiroc.net>

Prev by Date: chroot'd named & dpkg-sources
Next by Date: Re: OT: working with cisco gear (Re: CISCO --> debian tool(s))
Previous by thread: chroot'd named & dpkg-sources
Next by thread: alsactl problem
Index(es):
- Date
- Thread