Chroot bind 9.3.0 in slackware 10 - noobie
 

just set-up my own domain server, and I want to run bind with a non-root user.

anyone have any instructions or explanations on how to do this?

I read a bunch of documentation on how to chroot bind 9, I can apply most of the commands to execute, but there are some difference which I can't apply to slackware 10.

a how-to I followed:

hxxp://mirrors.evrocom.net/slackware/slackware-8.0/docs/Linux-HOWTO/Chroot-BIND-HOWTO


- I got stuck in the 2.5.1 (syslog) part, when I went to the /chroot/named/dev, I got "log=" instead of "log", and it wasn't logging anything (i would stop named, and re-run named)

- I also got stuck in the 3.1 part about "modifying paths". There was no "src/port/linux/Makefile.set" in my distro, I also went to "/usr/src/linux/makefile" to check if maybe that was the file to modify, but I didn't see "DESTRUN=/var/run" or the like anywhere

So in actuality I couldn't proceed further than 2.5.1 and beyond because of the major differences in content between the instructions and my distro. I'm guessing the doc isn't up to date.

Any help is appreciated

The easiest way is to use bind's built-in chroot features. I'm not sure when it was added, but it is present in BIND 9.2.3. You do that by adding the "-t" & "-u" options when you start it. On Slackware, you'd just need to modify the startup script at /etc/rc.d/rc.bind. At the top, change the start_bind function to something like this:
In the above, "/chroot/named" is where bind will be chrooted and "named" is the username it will run as.

There is also some additional steps you'll need to take to set it all up. First, create the user and group:
Second, you'll need to setup your chroot directory. Assuming, you're using "/chroot/named", just do the following:

Bind will need access to a few devices, so add those:
You'll need to copy /etc/localtime & /etc/named.conf to the jail:
Then to setup the var directory, do this:
Now copy your zone files into the chroot jail, I assume you have a working DNS server already:
Here's a listing of mine, for reference:
Your's will likely be different. I run a split-DNS where the outside world can only see what's in mydomain.org.zone and then I resolve for PCs on my LAN in the separate mydomain-intern.org.zone & reverse DNS files.

About the log issue. What I do is have bind keep it's own log, separate from syslogd. You can do that by adding something like this to your named.conf:
Also, once you restart bind you can confirm it's running in it's jail by looking at it's root in /proc.
BTW, I'm running BIND 9.2.3 under Slackware 10, so this setup should work fine for you as well. There is a detailed BIND manual in PDF format floating around somewhere, but I can't locate it at the moment. That document will help a great deal when setting BIND. If I find it, I'll post the link. I think that's it, good luck.

The manual I'm refering to is called the BIND 9 Administrator Reference Manual and it's distributed with bind in html format. You can find it on Slackware 10 at /usr/doc/bind-9.2.3/arm. Multiple versions of it are available online in html format at http://www.bind9.net/manuals. The PDF version use to be on the developer's website at http://www.isc.org/index.pl?/sw/bind/ but I don't see it there now. You can find at various places online though.

omg thank you for the detailed explanation and instruction. I seriously appreciate your help.

I can't seem to get it running after i've gong through your instructions.

i have a question:

When you tell me to edit the named.conf file in this tutorial, which named.conf do you want me to edit, the once in the chroot dir or the "out from" the chroot dir?

I edited both and it still doesn't work.

I did a ./rc.bind start, then I did a ./rc.bind stop and it gives me this message:

"named: no prcess killed"
---EDIT---

named works, when i just run it normally without the switches in the rc.bind file

also

when i run /usr/local/sbin/named -t /chroot/named/, it works
but when i use the -u named switch, it doesn't work

maybe it's a permission thing?
---EDIT---
ok, I changed the ownership of all the contents in /chroot/named/ to "named" and now the full command "/usr/local/sbin/named -t /chroot/named/ -u named"works. Is this OK?

---EDIT---
Now another problem arises:

I can't get that logging thing to work. I copied it exactly as you typed it out on both named.conf files, and now named won't run.

Ok, make sure you didn't already have a "logging" section in your named.conf file, and now have 2. Also make sure there isn't a typo somewhere, like a missing brace, semi-colon, and etc. And check the logs for any errors, namely /var/log/messages, to see if you can identify the problem. If that's no help, try tracing it with strace. Otherwise, edit out anything revealing like your IPs, rndc key, and etc and post your named.conf.

Also, when running bind in this manner, you will not need the /etc/named.conf file at all anymore. You'd instead need /chroot/named/etc/named.conf which to bind is /etc/named.conf since the only files bind can see or access are those located within the chroot jail. In other words, named will switch to the chroot jail and to user "named" prior to accessing named.conf. However, until you get all the kinks worked out, I'd leave the default "known-working" setup intact as-is and only edit files within the chroot jail if needed.

As far as permissions go, probably the easiest way for me to show you what works for me, is to simply list them as they are on my system, so here goes:
So essentially, the only directories owned by the user "named" are /chroot/named/var/log, /chroot/named/var/named, and /chroot/named/var/run/named, and the files within them. Those are the only ones named needs write access to. And technically, if you're using static zone files, named doesn't need write access or ownership to the zone files either. If you were using a dynamic DNS setup, then named would need write access to /chroot/named/var/named in order to write the updates.

Yeah I made a typo. haha. Thanks for the help again, I appreciate it. It all works now.

Is it a security risk to change owner for /chroot/named to "named"? cuz that's what i did.

EDIT-- fixed typo

Well technically, I'd say yes. Keep in mind that I'm not, nor do I claim to be, a security specialist, but there are several in this forum. But yeah, as a general rule from a security standpoint, you only want to allow whatever access is required to complete the task. In this case, bind needs only read access to most of it and write access only to the directories where it will create it's logs, pid file and etc. Additionally, you could get really paranoid and set the immutable bit on your zone files and named.conf. ie:

That way even if someone gains access through bind and manages to somehow get root, they still can't edit the files. Anyway, just depends on how far you want to take it and since you went to the trouble of chrooting it to begin with, you may as well get it as tight as possible.

Ok I understand. Thanks for your help again.