-   Linux - Security (
-   -   Help me configure BIND 9.5 chroot jail! (

bpointe 02-12-2010 05:52 AM

Help me configure BIND 9.5 chroot jail!
Hi everybody,

I am setting up an internal web site that will have two networks, each with its own DNS(BIND) server, one master the other slave.

I need to configure, provision, and test /var/named as a chroot jail. I'm using several books to help (O'Reily's Linux Server Security & DNS and BIND), each with great examples. The problem is that the Linux Server Security text gives the following chroot provisioning example script (#comments not added) and I'm not sure if it is supposed to run each time I log onto the server or should it just run once. Based on the mkdir commands, I would think that this script should only run one time. Either way, where do I put it to run. Also, since Fedora 9 BIND comes with the chroot jail already configured, how can I verify that it is configured properly so that I can add zone data files?

mkdir -m 2750 -p $BINDJAIL/dev $BINDJAIL/etc
mkdir -m 2770 -p $BINDJAIL/var/run
mkdir -m 2770 $BINDJAIL/var/log $BINDJAIL/var/tmp
mkdir -m 2750 $BINDJAIL/master
mkdIR -m 2770 $BINDJAIL/slave $BINDJAIL/stubs
mkdir -m 2770 -p $BINDJAIL/var/cache/bind

echo "named:x:256:" >> /etc/group
echo "named:x:256:256:BIND:$BINDJAIL:/bin/false" \
>> /etc/passwd

chown -R root:named $BINDJAIL

cp /etc/localtime $BINDJAIL/etc

mknod $BINDJAIL/dev/null c 1 3
chmod 666 $BINDJAIL/dev/null
mknod $BINDJAIL/dev/random c 1 8
chmod 666 $BINDJAIL/dev/random



slimm609 02-12-2010 09:14 AM

Bind has an option in the config to tell it to run in a Jail. You dont have to do it manually. It will do it, itself if you just set the config setting. the files will be in /var/named/chroot/

bpointe 02-12-2010 01:32 PM

Thanks slimm609,

What's confusing is the /var/named/chroot contains /dev, /etc/, and /var. /etc contains a named.conf file which seems to be what needs to be configured specifically to activate the zone data files. Also, the /vat sub-directory on th chroot jail also contains a /named that contains, named.empty and a named.localhost file. Is it this sub-directory were I should place the zone data files?

If it seems like I don't have a clue, your right...almost. This chroot jail thing seems like a tangles web of directories & files that cross-reference each other. I did draw a diagram of the root and chroot jails relative position in /var, that helped me a lot to understand where everything is in the directory tree.

Kudos again slimm609, I feel as if I'm getting closer to the answer.


salasi 02-12-2010 08:04 PM

IIRC, when Bind is initialising, it doesn't know its going to be chrooted and so it reads its config from the conventional place, /etc.

However, once it has read its config file, it does know that it is to be chrooted and subsequently reads everything from a place relative to the chroot root....that is, if you had something that would un-chrooted be in /var, and you used as a chroot base directory /stoopid_example, it would now be read from, or written to,

Note that other chroot directories apart from /stoopid_example are possible! And, err, desirable, if only for my sanity.

Smartpatrol 02-16-2010 11:21 PM


bpointe 02-17-2010 09:31 AM

Hi Smartpatrol,
How did you go about actually running the script? Also, the version of fedora that I'm using already has /var/named configured. I would love to run the chroot bind package but I need to know if it is installed and were to find it. I wrote a small script that traverses the file system and searches for files. I'll take a look for that package and run it. Stand by for an update...

Thanks a billion for your input, I look forward to your responses.

slimm609 02-17-2010 07:17 PM

when running in a chroot env. the root directory is moved for that application. So cd /var/named/chroot and act like thats the / of the system. That is how bind is going to see it. so there should be a etc, dev, var, and maybe even a proc dir. (dont remember for sure).

look at /var/named/chroot/var/named as /var/named and /var/named/chroot/etc as /etc same for the rest of the directories and that should help you out in understanding it.

bpointe 02-18-2010 09:37 AM

Thanks Slimm609!
It makes since to me now. Coming from windows world it is a breath of fresh air having this much control over how the operating environment works. I'm going to implement smartpatrol's suggestion and first locate and then find out how to run the chroot bind package in fedora.

Thanks a bunch!

slimm609 02-19-2010 12:01 AM


Originally Posted by bpointe (Post 3868121)
It makes since to me now. Coming from windows world it is a breath of fresh air having this much control over how the operating environment works. I'm going to implement smartpatrol's suggestion and first locate and then find out how to run the chroot bind package in fedora.

Thanks a bunch!

on fedora it is prob. already installed if the dir. structure is /var/named/chroot. It gives a sample config and setups up all the directory structure. the package is called bind-chroot IIRC

bpointe 02-19-2010 02:51 PM

Your'e exactly right slimm609
The bind jail is already configured as far as I can tell. I guess I'll move forward and configure the /var/named/chroot/etc/named.conf file to find the zone data files in /var/named/chroot. I will assume that the BINDJAIL=/var/named & BINDBIN=/usr/sbin commands found in the script below is already located in some init directory. You see, although bind-chroot is already configured, I need to confirm that the script that sets the BINDJAIL=/var/named and the BINDBIN=/usr/sbin commands have already run upon login. What I'm seeing is that fedora does not retain these setting once you power-down the server. The command seems to reside in volatile memory (RAM), and needs to be configured each time the machine is restarted.

That is my problem now and one of my original questions. What would confirm this for me is if a script similar to the one listed below resides somewhere where it can be ran upon startup (if I remember correctly that would be in an init directory...right?) I used a findit script that helps me locate files and I ran it with chroot* as its argument. It did not even return a chroot-bind. If I can find the script that configures the chroot somewhere in the directory tree I can then look specifically for the command line commands that initializes the chroot jail. I'll hit pay dirt if I can only find it. Any pointers that would help me to that end would be golden.



slimm609 02-19-2010 05:40 PM

check /etc/sysconfig for a file called named.

it should contain a lines similar to below

OPTIONS="-t /var/named/chroot -u named -c /etc/named.conf"

the -t option is the chroot() directory to use once it is started

bpointe 02-21-2010 09:19 AM

Another thanks Slimm609!
I did find the /etc/sysconfig/named file, which is symbolically linked to /var/named/chroot/etc/named.conf file. I also performed the rpm -q query for bind-chroot and it return: bind-chroot-9.5.2-1.fc10.i386, so it is installed.

One document that is helping comes from Archive: Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDchroot, and it suggests that a file named /etc/rndc.conf should also be symbolically linked to /var/named/chroot/etc/rndc.conf. The only file on my system that is similarly named is the rndc.key file. the same BINDchroot document suggest that I will not need the rndc.key file and both the /etc/rndc.key and it's linked version in /var/named/chroot/etc/rndc.key should be removed. I need to know what rndc.conf is and why it is not on my system. Then I can go about creating it.

Slimm609, I am creeping closer & closer to understanding what the heck I'm doing and why, how of BINDchroot-ing. I am searching for online info on rndc.conf, but if you have any information on it please send.



chrism01 02-21-2010 11:10 PM


1. bind-chroot-9.5.2-1.fc10.i386 - that's Fedora 10 (see fc10 there) which is longer supported; I believe they're on version 12 or 13 by now.
2. If you're using Fedora or any other RH based system, why not use the pkg mgr (RHEL/Centos = yum or whatever on fedora) to install. It'll set it all up for you.
Much easier.

All times are GMT -5. The time now is 07:34 PM.