BIND chroot jail on SolarisBIND 8 chroot jail
Note: I recommend upgrading to the latest BIND 9 release to take advantage of
BIND 9's security features and security-focused code rewrite.
Thanks to Sean Boran for his "Installing BIND v8 chroot'ed on Solaris 7." Much
of the information on this page was obtained from his installation guide.
In this BIND chroot jail example on a Solaris 7 server, the named daemon is
executed as the named user (UID 53, GID 53). The chroot jail is the /home/dns
directory. This document assumes BIND is already installed with binaries in
/usr/local, configuration files in /usr/local/etc, and DNS data in /var/dns.
Upgrading your BIND chroot jail
If you already have a BIND chroot jail configured, and want to upgrade to a new
version of BIND, perform the following commands after running make install.
These steps assume you installed BIND to the standard /usr/local directory tree.
for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print
$3}'`
do
cp $i /home/dns/usr/lib
done
cd /home/dns/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -
cd /home/dns/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -
Restart BIND to enable the new version.
Creating an initial BIND chroot jail
To create a BIND chroot jail from scratch, perform the following steps:
1. Create named user and chroot jail.
groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named
mkdir -m 750 /home/named
cd /home/named
mkdir -p dev opt usr var etc var/run var/log var/dns usr/local usr/lib
usr/share/lib/zoneinfo
cp /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf
/etc/TIMEZONE etc
2. Copy libraries into chroot jail.
for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print
$3}'`
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/named/usr/lib
done
cp /usr/lib/ld.so.1 /home/named/usr/lib
3. Create device files in the chrooted environment.
cd /home/named/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog
4. Copy the timezone information into the chroot jail. Otherwise, BIND will use
a GMT timestamp when sending messages to syslog. In this example, the TIMEZONE
is US/Central.
cd /home/named
mkdir -p usr/share/lib/zoneinfo/US
cp -p /usr/share/lib/zoneinfo/US/Central usr/share/lib/zoneinfo/US
5. Copy BIND to chroot jail and set appropriate permissions.
cd /home/named
mkdir -p usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc
chmod 755 usr/local/bin usr/local/lib usr/local/sbin usr/local/bind
usr/local/etc
cd /home/named/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -
cd /home/named/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -
cd /home/named/usr/local
cp /usr/local/etc/named.conf etc
(cd /usr/local; tar cf - bind) | tar xvf -
chown -R root:named *
chmod 775 etc
cd /home/named/var/
(cd /var/dns; tar cf - *) | tar xvf -
cd /home/named
chown -R root:named opt var
chmod -R g-w var
chmod -R o-rx .
chmod g+w var/run var/log
touch var/log/all.log var/run/named.pid
chown named:named var/log/all.log var/run/named.pid
find . -type f | xargs chmod ug-s
6. Start BIND.
/usr/local/sbin/named -u 53 -g 53 -t /home/named
Make sure to modify your BIND startup/shutdown script to execute BIND as a
non-privileged user within the chroot jail. Compare your copy to the following
/etc/init.d/named script.
#!/bin/sh
case $1 in
'start' )
/usr/local/sbin/named -u 53 -g 53 -t /home/named
;;
'stop' )
kill `ps -ef | grep named | grep -v grep | awk '{print $2}'` > /dev/null 2>&1
;;
*)
echo "usage: $0 {start|stop}"
esac
Back to brandonhutchinson.com.
Last modified: 05/14/2003
(
geocities.com/hackermuda/exploits) (
geocities.com/hackermuda)