LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-12-2010, 04:52 AM   #1
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Rep: Reputation: 0
Smile Help me configure BIND 9.5 chroot jail!


Hi everybody,

I am setting up an internal web site that will have two networks, each with its own DNS(BIND) server, one master the other slave.

I need to configure, provision, and test /var/named as a chroot jail. I'm using several books to help (O'Reily's Linux Server Security & DNS and BIND), each with great examples. The problem is that the Linux Server Security text gives the following chroot provisioning example script (#comments not added) and I'm not sure if it is supposed to run each time I log onto the server or should it just run once. Based on the mkdir commands, I would think that this script should only run one time. Either way, where do I put it to run. Also, since Fedora 9 BIND comes with the chroot jail already configured, how can I verify that it is configured properly so that I can add zone data files?

#!bin/bash
BINDJAIL=/var/named
BINDBIN=/usr/sbin
mkdir -m 2750 -p $BINDJAIL/dev $BINDJAIL/etc
mkdir -m 2770 -p $BINDJAIL/var/run
mkdir -m 2770 $BINDJAIL/var/log $BINDJAIL/var/tmp
mkdir -m 2750 $BINDJAIL/master
mkdIR -m 2770 $BINDJAIL/slave $BINDJAIL/stubs
mkdir -m 2770 -p $BINDJAIL/var/cache/bind

echo "named:x:256:" >> /etc/group
echo "named:x:256:256:BIND:$BINDJAIL:/bin/false" \
>> /etc/passwd

chown -R root:named $BINDJAIL

cp $BINDBIN/named $BINDJAIL
cp /etc/localtime $BINDJAIL/etc

mknod $BINDJAIL/dev/null c 1 3
chmod 666 $BINDJAIL/dev/null
mknod $BINDJAIL/dev/random c 1 8
chmod 666 $BINDJAIL/dev/random

Thanks,

Ben
 
Old 02-12-2010, 08:14 AM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Bind has an option in the config to tell it to run in a Jail. You dont have to do it manually. It will do it, itself if you just set the config setting. the files will be in /var/named/chroot/
 
Old 02-12-2010, 12:32 PM   #3
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks slimm609,

What's confusing is the /var/named/chroot contains /dev, /etc/, and /var. /etc contains a named.conf file which seems to be what needs to be configured specifically to activate the zone data files. Also, the /vat sub-directory on th chroot jail also contains a /named that contains named.ca, named.empty and a named.localhost file. Is it this sub-directory were I should place the zone data files?

If it seems like I don't have a clue, your right...almost. This chroot jail thing seems like a tangles web of directories & files that cross-reference each other. I did draw a diagram of the root and chroot jails relative position in /var, that helped me a lot to understand where everything is in the directory tree.

Kudos again slimm609, I feel as if I'm getting closer to the answer.

Ben
 
Old 02-12-2010, 07:04 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,883

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
IIRC, when Bind is initialising, it doesn't know its going to be chrooted and so it reads its config from the conventional place, /etc.

However, once it has read its config file, it does know that it is to be chrooted and subsequently reads everything from a place relative to the chroot root....that is, if you had something that would un-chrooted be in /var, and you used as a chroot base directory /stoopid_example, it would now be read from, or written to,
/stoopid_example/var

Note that other chroot directories apart from /stoopid_example are possible! And, err, desirable, if only for my sanity.
 
1 members found this post helpful.
Old 02-16-2010, 10:21 PM   #5
Smartpatrol
Member
 
Registered: Sep 2009
Posts: 196

Rep: Reputation: 38
...

Last edited by Smartpatrol; 03-11-2010 at 10:06 PM.
 
2 members found this post helpful.
Old 02-17-2010, 08:31 AM   #6
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Hi Smartpatrol,
How did you go about actually running the script? Also, the version of fedora that I'm using already has /var/named configured. I would love to run the chroot bind package but I need to know if it is installed and were to find it. I wrote a small script that traverses the file system and searches for files. I'll take a look for that package and run it. Stand by for an update...

Thanks a billion for your input, I look forward to your responses.
 
Old 02-17-2010, 06:17 PM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
when running in a chroot env. the root directory is moved for that application. So cd /var/named/chroot and act like thats the / of the system. That is how bind is going to see it. so there should be a etc, dev, var, and maybe even a proc dir. (dont remember for sure).

look at /var/named/chroot/var/named as /var/named and /var/named/chroot/etc as /etc same for the rest of the directories and that should help you out in understanding it.
 
Old 02-18-2010, 08:37 AM   #8
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Lightbulb Thanks Slimm609!

It makes since to me now. Coming from windows world it is a breath of fresh air having this much control over how the operating environment works. I'm going to implement smartpatrol's suggestion and first locate and then find out how to run the chroot bind package in fedora.

Thanks a bunch!
ben
 
Old 02-18-2010, 11:01 PM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by bpointe View Post
It makes since to me now. Coming from windows world it is a breath of fresh air having this much control over how the operating environment works. I'm going to implement smartpatrol's suggestion and first locate and then find out how to run the chroot bind package in fedora.

Thanks a bunch!
ben
on fedora it is prob. already installed if the dir. structure is /var/named/chroot. It gives a sample config and setups up all the directory structure. the package is called bind-chroot IIRC
 
1 members found this post helpful.
Old 02-19-2010, 01:51 PM   #10
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Cool Your'e exactly right slimm609

The bind jail is already configured as far as I can tell. I guess I'll move forward and configure the /var/named/chroot/etc/named.conf file to find the zone data files in /var/named/chroot. I will assume that the BINDJAIL=/var/named & BINDBIN=/usr/sbin commands found in the script below is already located in some init directory. You see, although bind-chroot is already configured, I need to confirm that the script that sets the BINDJAIL=/var/named and the BINDBIN=/usr/sbin commands have already run upon login. What I'm seeing is that fedora does not retain these setting once you power-down the server. The command seems to reside in volatile memory (RAM), and needs to be configured each time the machine is restarted.

That is my problem now and one of my original questions. What would confirm this for me is if a script similar to the one listed below resides somewhere where it can be ran upon startup (if I remember correctly that would be in an init directory...right?) I used a findit script that helps me locate files and I ran it with chroot* as its argument. It did not even return a chroot-bind. If I can find the script that configures the chroot somewhere in the directory tree I can then look specifically for the command line commands that initializes the chroot jail. I'll hit pay dirt if I can only find it. Any pointers that would help me to that end would be golden.

Thanks,

Ben
 
Old 02-19-2010, 04:40 PM   #11
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
check /etc/sysconfig for a file called named.


it should contain a lines similar to below

NAME=named
DAEMON=/usr/local/sbin/$NAME
OPTIONS="-t /var/named/chroot -u named -c /etc/named.conf"

the -t option is the chroot() directory to use once it is started
 
1 members found this post helpful.
Old 02-21-2010, 08:19 AM   #12
bpointe
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, Georgia
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Smile Another thanks Slimm609!

I did find the /etc/sysconfig/named file, which is symbolically linked to /var/named/chroot/etc/named.conf file. I also performed the rpm -q query for bind-chroot and it return: bind-chroot-9.5.2-1.fc10.i386, so it is installed.

One document that is helping comes from Archive: Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDchroot, and it suggests that a file named /etc/rndc.conf should also be symbolically linked to /var/named/chroot/etc/rndc.conf. The only file on my system that is similarly named is the rndc.key file. the same BINDchroot document suggest that I will not need the rndc.key file and both the /etc/rndc.key and it's linked version in /var/named/chroot/etc/rndc.key should be removed. I need to know what rndc.conf is and why it is not on my system. Then I can go about creating it.

Slimm609, I am creeping closer & closer to understanding what the heck I'm doing and why, how of BINDchroot-ing. I am searching for online info on rndc.conf, but if you have any information on it please send.

Thanks!

Ben
 
Old 02-21-2010, 10:10 PM   #13
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
2 comments

1. bind-chroot-9.5.2-1.fc10.i386 - that's Fedora 10 (see fc10 there) which is longer supported; I believe they're on version 12 or 13 by now.
2. If you're using Fedora or any other RH based system, why not use the pkg mgr (RHEL/Centos = yum or whatever on fedora) to install. It'll set it all up for you.
Much easier.
 
1 members found this post helpful.
  


Reply

Tags
bind, chroot, jail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM


All times are GMT -5. The time now is 08:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration