[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind in jail?

Op ma 13-09-2004, om 07:03 schreef Paolo Alexis Falcone:


> On Mon, 13 Sep 2004 05:42:55 +0200, Olav <betenoire@xs4all.nl> wrote:
> > Do most people who run bind or bind9 on Debian, recompile the program to
> > run in a chroot environment ("jail")? Or perhaps, should this not be
> > necessary in Sarge because it has other defenses in place?
> 
> There's no need to recompile debian's bind package to execute bind
> inside a chroot'd jail. However, I'm not sure if the default Bind
> install in Sarge runs bind chroot'ed, although they've already built
> the necessary facilities to run it chrooted (seen it in my Woody
> servers).

How do I check? I'm rather new to both bind and the practical use of
chroot (but I know what it does in theory). I have set up bind according
to
<http://www.debian.org/doc/manuals/network-administrator/ch-bind.html>,
except (like the article says) there is no utility by the name of
bindconfig and the config files are organized a little bit different.
Seems like no problem to me. The server works great now as a DNS server
for the clients in my LAN, resolving names on the internet. But it does
not do anything with my own zone files - have to figure that one out,
but it's another story.

I'm not sure that it runs in chroot mode, and I'm almost certain that it
does not, and I'm not clear about what I could have done (during or
after install) to make it run that way. I can see that named *does* run
with it's own user, bind. But that is not necessarily evidence of
running in chroot, is it?

> > Running bind this way is a recommendation that you can often read about.
> > I also wonder what the *real* dangers would be from exposing bind to the
> > outside world. What bad things can happen, and could bind in fact be a
> > starting point for someone to break into a system? I have not seen too
> > much real world information about this so far (I could have looked in
> > the wrong places of course...)
> 
> As we already know, binding applications to use the privileged ports
> (ports lower than 1024) would need root privileges (normally that is).
> Now, assuming that you've got bind running as root, a
> remotely-exploitable bug in bind can be used as a mechanism to gain
> entry to the system. And since bind would run as root - hello you're
> already 0wned! :D

So I'm reading contradictory statements about this. Some will say that a
vulnerability in bind will only allow an attacker to "hang up" your
system, but it will not let them in. How many real world exploits have
been reported and of what nature?

> Now should bind run in a chroot'd environment, an entry using a remote
> exploit in bind would be contained inside the confines of the chroot
> jail. In theory damage can be compartmentalized to the directory
> hosting the jail.

The theory I did already know a bit about, I just don't have any
experience in setting things up like that :)

> Of course if your machine does get compromised its wise to just reformat
> the entire system than waste time in ascertaining trustworthiness of some
> binaries you'd be using for 'unrooting' the machine

I think I would rather not get "compromised" at all.

But when it happens I think I will want to understand how and what
exactly went wrong. Could be instructive :)

Still have a lot to learn...


-- 
Olav <betenoire@xs4all.nl>
Reply to: