Re: bind in jail?
On Mon, 13 Sep 2004 14:29:39 +0200, Olav <betenoire@xs4all.nl> wrote:
> Op ma 13-09-2004, om 07:03 schreef Paolo Alexis Falcone:
>
>
> > On Mon, 13 Sep 2004 05:42:55 +0200, Olav <betenoire@xs4all.nl> wrote:
> > > Do most people who run bind or bind9 on Debian, recompile the program to
> > > run in a chroot environment ("jail")? Or perhaps, should this not be
> > > necessary in Sarge because it has other defenses in place?
> >
> > There's no need to recompile debian's bind package to execute bind
> > inside a chroot'd jail. However, I'm not sure if the default Bind
> > install in Sarge runs bind chroot'ed, although they've already built
> > the necessary facilities to run it chrooted (seen it in my Woody
> > servers).
>
> How do I check? I'm rather new to both bind and the practical use of
> chroot (but I know what it does in theory). I have set up bind according
> to
> <http://www.debian.org/doc/manuals/network-administrator/ch-bind.html>,
> except (like the article says) there is no utility by the name of
> bindconfig and the config files are organized a little bit different.
> Seems like no problem to me. The server works great now as a DNS server
> for the clients in my LAN, resolving names on the internet. But it does
> not do anything with my own zone files - have to figure that one out,
> but it's another story.
There is no bindconfig or any utility like that.
Bind does two functions - as a caching nameserver (resolver) and a DNS
server (publishes entries as placed in your zone files). The Bind book
(deadtree edition) recommends running both components of bind under
different IP's.
> I'm not sure that it runs in chroot mode, and I'm almost certain that it
> does not, and I'm not clear about what I could have done (during or
> after install) to make it run that way. I can see that named *does* run
> with it's own user, bind. But that is not necessarily evidence of
> running in chroot, is it?
If you followed the chroot'ed bind howto (e.g. "replicate" the folders
needed from the root filesystem into say /var/lib/named, then place
bind's configs there in /var/lib/named/etc/bind, run as a
non-privileged user -> there's explicit instructions on how to do
this) then it runs chroot'ed.
> > > Running bind this way is a recommendation that you can often read about.
> > > I also wonder what the *real* dangers would be from exposing bind to the
> > > outside world. What bad things can happen, and could bind in fact be a
> > > starting point for someone to break into a system? I have not seen too
> > > much real world information about this so far (I could have looked in
> > > the wrong places of course...)
> >
> > As we already know, binding applications to use the privileged ports
> > (ports lower than 1024) would need root privileges (normally that is).
> > Now, assuming that you've got bind running as root, a
> > remotely-exploitable bug in bind can be used as a mechanism to gain
> > entry to the system. And since bind would run as root - hello you're
> > already 0wned! :D
>
> So I'm reading contradictory statements about this. Some will say that a
> vulnerability in bind will only allow an attacker to "hang up" your
> system, but it will not let them in. How many real world exploits have
> been reported and of what nature?
The most dangerous of vulnerabilities would allow denial of service or
entry to the system. What I've stated is just the theory on the
purported advantages of running the bind daemon chrooted with regards
to compartmentalizing the damage that can be done.
For info on bind's real-world exploits record - check the archives at bugtraq.
--
Paolo Alexis Falcone
pfalcone@gmail.com
Reply to: