LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-31-2005, 07:53 PM   #1
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Rep: Reputation: 30
Chroot bind 9.3.0 in slackware 10 - noobie


just set-up my own domain server, and I want to run bind with a non-root user.

anyone have any instructions or explanations on how to do this?

I read a bunch of documentation on how to chroot bind 9, I can apply most of the commands to execute, but there are some difference which I can't apply to slackware 10.

a how-to I followed:

hxxp://mirrors.evrocom.net/slackware/slackware-8.0/docs/Linux-HOWTO/Chroot-BIND-HOWTO


- I got stuck in the 2.5.1 (syslog) part, when I went to the /chroot/named/dev, I got "log=" instead of "log", and it wasn't logging anything (i would stop named, and re-run named)

- I also got stuck in the 3.1 part about "modifying paths". There was no "src/port/linux/Makefile.set" in my distro, I also went to "/usr/src/linux/makefile" to check if maybe that was the file to modify, but I didn't see "DESTRUN=/var/run" or the like anywhere

So in actuality I couldn't proceed further than 2.5.1 and beyond because of the major differences in content between the instructions and my distro. I'm guessing the doc isn't up to date.

Any help is appreciated
 
Old 04-01-2005, 12:52 AM   #2
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
The easiest way is to use bind's built-in chroot features. I'm not sure when it was added, but it is present in BIND 9.2.3. You do that by adding the "-t" & "-u" options when you start it. On Slackware, you'd just need to modify the startup script at /etc/rc.d/rc.bind. At the top, change the start_bind function to something like this:
Code:
bind_start() {
  if [ -x /usr/sbin/named ]; then
    echo "Starting BIND:  /usr/sbin/named"
    /usr/sbin/named -t /chroot/named/ -u named
  fi
}
In the above, "/chroot/named" is where bind will be chrooted and "named" is the username it will run as.

There is also some additional steps you'll need to take to set it all up. First, create the user and group:
Code:
groupadd named
useradd -d /var/named -g named -s /bin/false named
Second, you'll need to setup your chroot directory. Assuming, you're using "/chroot/named", just do the following:

Code:
mkdir -p /chroot/named/{dev,etc,var}
Bind will need access to a few devices, so add those:
Code:
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
mknod /chroot/named/dev/zero c 1 5
chmod a+w /chroot/named/dev/*
You'll need to copy /etc/localtime & /etc/named.conf to the jail:
Code:
cp /etc/localtime /chroot/named/etc
cp /etc/named.conf /chroot/named/etc
Then to setup the var directory, do this:
Code:
mkdir -p /chroot/named/var/{log,named,run}
mkdir /chroot/named/var/run/named
chown named:named /chroot/named/var/run/named
chown named:named /chroot/named/var/{log,named}
Now copy your zone files into the chroot jail, I assume you have a working DNS server already:
Code:
cp /var/named/* /chroot/named/var/named
Here's a listing of mine, for reference:
Code:
-rw-r--r--  1 named named     188 Dec  2  2003 0.0.127.in-addr.arpa.zone
-rw-r--r--  1 named named     337 Dec 27 00:18 0.168.192.in-addr.arpa.zone
-rw-r--r--  1 named named     246 Dec  2  2003 XX.XX.XX.in-addr.arpa.zone
-rw-r--r--  1 named named     810 Dec 28 23:55 mydomain-intern.org.zone
-rw-r--r--  1 named named     651 Dec  3 00:37 mydomain.org.zone
-rw-r--r--  1 named named     172 Dec  2  2003 localhost.zone
-rw-r--r--  1 named named    1501 Dec  2  2003 named.ca
-rw-r--r--  1 named named     433 Dec  2  2003 named.local
-rw-r--r--  1 named named 1060791 Dec  2  2003 named.run
Your's will likely be different. I run a split-DNS where the outside world can only see what's in mydomain.org.zone and then I resolve for PCs on my LAN in the separate mydomain-intern.org.zone & reverse DNS files.

About the log issue. What I do is have bind keep it's own log, separate from syslogd. You can do that by adding something like this to your named.conf:
Code:
// Logging options
logging {
        channel "bind_log" {
                file "/var/log/named.log" versions 5 size 100k;
                // Levels in order -- critical | error | warning | notice
                // | info | debug [ level ] | dynamic
                severity info;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category default {
                "bind_log";
        };
};
Also, once you restart bind you can confirm it's running in it's jail by looking at it's root in /proc.
Code:
root@gateway:~# ls -l /proc/`pidof named`/root
lrwxrwxrwx  1 root root 0 Apr  1 00:40 /proc/2484/root -> /chroot/named/
BTW, I'm running BIND 9.2.3 under Slackware 10, so this setup should work fine for you as well. There is a detailed BIND manual in PDF format floating around somewhere, but I can't locate it at the moment. That document will help a great deal when setting BIND. If I find it, I'll post the link. I think that's it, good luck.
 
Old 04-01-2005, 01:12 AM   #3
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
The manual I'm refering to is called the BIND 9 Administrator Reference Manual and it's distributed with bind in html format. You can find it on Slackware 10 at /usr/doc/bind-9.2.3/arm. Multiple versions of it are available online in html format at http://www.bind9.net/manuals. The PDF version use to be on the developer's website at http://www.isc.org/index.pl?/sw/bind/ but I don't see it there now. You can find at various places online though.
 
Old 04-01-2005, 01:25 PM   #4
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
omg thank you for the detailed explanation and instruction. I seriously appreciate your help.

I can't seem to get it running after i've gong through your instructions.

i have a question:

When you tell me to edit the named.conf file in this tutorial, which named.conf do you want me to edit, the once in the chroot dir or the "out from" the chroot dir?

I edited both and it still doesn't work.

I did a ./rc.bind start, then I did a ./rc.bind stop and it gives me this message:

"named: no prcess killed"
---EDIT---

named works, when i just run it normally without the switches in the rc.bind file

also

when i run /usr/local/sbin/named -t /chroot/named/, it works
but when i use the -u named switch, it doesn't work

maybe it's a permission thing?
---EDIT---
ok, I changed the ownership of all the contents in /chroot/named/ to "named" and now the full command "/usr/local/sbin/named -t /chroot/named/ -u named"works. Is this OK?

Last edited by houler; 04-01-2005 at 04:01 PM.
 
Old 04-01-2005, 04:02 PM   #5
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
---EDIT---
Now another problem arises:

I can't get that logging thing to work. I copied it exactly as you typed it out on both named.conf files, and now named won't run.
 
Old 04-01-2005, 04:25 PM   #6
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Ok, make sure you didn't already have a "logging" section in your named.conf file, and now have 2. Also make sure there isn't a typo somewhere, like a missing brace, semi-colon, and etc. And check the logs for any errors, namely /var/log/messages, to see if you can identify the problem. If that's no help, try tracing it with strace. Otherwise, edit out anything revealing like your IPs, rndc key, and etc and post your named.conf.

Also, when running bind in this manner, you will not need the /etc/named.conf file at all anymore. You'd instead need /chroot/named/etc/named.conf which to bind is /etc/named.conf since the only files bind can see or access are those located within the chroot jail. In other words, named will switch to the chroot jail and to user "named" prior to accessing named.conf. However, until you get all the kinks worked out, I'd leave the default "known-working" setup intact as-is and only edit files within the chroot jail if needed.

As far as permissions go, probably the easiest way for me to show you what works for me, is to simply list them as they are on my system, so here goes:
Code:
root@gateway:/chroot# ls -l
total 1180
drwxr-xr-x  10 root sys     4096 Sep 27  2004 httpd/
drwxr-xr-x   7 root sys     4096 Sep 20  2004 mysql/
drwxr-xr-x   5 root root    4096 Dec  2  2003 named/
Code:
root@gateway:/chroot/named# ls -lR
.:
total 12
drwxr-xr-x  2 root root 4096 Dec  2  2003 dev/
drwxr-xr-x  2 root root 4096 Apr  1 00:40 etc/
drwxr-xr-x  5 root root 4096 Dec  2  2003 var/

./dev:
total 0
crw-rw-rw-  1 root root 1, 3 Dec  2  2003 null
crw-rw-rw-  1 root root 1, 8 Dec  2  2003 random
crw-rw-rw-  1 root root 1, 5 Dec  2  2003 zero

./etc:
total 20
-rw-r--r--  1 root root 1279 Dec  2  2003 localtime
-rw-r--r--  1 root root 4080 Jan  1 01:34 named.conf

./var:
total 12
drwxr-xr-x  2 named named 4096 Jul  4  2004 log/
drwxr-xr-x  2 named named 4096 Feb 12 01:09 named/
drwxr-xr-x  3 root  root  4096 Dec  2  2003 run/

./var/log:
total 1372
-rw-r--r--  1 named named   80294 Apr  1 16:03 named.log
-rw-r--r--  1 named named 1310886 Jul  4  2004 named.log.0

./var/named:
total 1104
-rw-r--r--  1 named named     188 Dec  2  2003 0.0.127.in-addr.arpa.zone
-rw-r--r--  1 named named     337 Dec 27 00:18 0.168.192.in-addr.arpa.zone
-rw-r--r--  1 named named     246 Dec  2  2003 xx.xx.xx.in-addr.arpa.zone
-rw-r--r--  1 named named     810 Dec 28 23:55 mydomain-intern.org.zone
-rw-r--r--  1 named named     651 Dec  3 00:37 mydomain.org.zone
-rw-r--r--  1 named named     172 Dec  2  2003 localhost.zone
-rw-r--r--  1 named named    1501 Dec  2  2003 named.ca
-rw-r--r--  1 named named     433 Dec  2  2003 named.local
-rw-r--r--  1 named named 1060791 Dec  2  2003 named.run

./var/run:
total 4
drwxr-xr-x  2 named named 4096 Apr  1 16:03 named/

./var/run/named:
total 4
-rw-r--r--  1 named named 6 Apr  1 16:03 named.pid
So essentially, the only directories owned by the user "named" are /chroot/named/var/log, /chroot/named/var/named, and /chroot/named/var/run/named, and the files within them. Those are the only ones named needs write access to. And technically, if you're using static zone files, named doesn't need write access or ownership to the zone files either. If you were using a dynamic DNS setup, then named would need write access to /chroot/named/var/named in order to write the updates.
 
Old 04-01-2005, 04:41 PM   #7
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Yeah I made a typo. haha. Thanks for the help again, I appreciate it. It all works now.

Is it a security risk to change owner for /chroot/named to "named"? cuz that's what i did.

EDIT-- fixed typo

Last edited by houler; 04-01-2005 at 05:06 PM.
 
Old 04-01-2005, 05:41 PM   #8
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Well technically, I'd say yes. Keep in mind that I'm not, nor do I claim to be, a security specialist, but there are several in this forum. But yeah, as a general rule from a security standpoint, you only want to allow whatever access is required to complete the task. In this case, bind needs only read access to most of it and write access only to the directories where it will create it's logs, pid file and etc. Additionally, you could get really paranoid and set the immutable bit on your zone files and named.conf. ie:

Code:
chattr +i /chroot/named/etc/named.conf
That way even if someone gains access through bind and manages to somehow get root, they still can't edit the files. Anyway, just depends on how far you want to take it and since you went to the trouble of chrooting it to begin with, you may as well get it as tight as possible.


Last edited by DaHammer; 04-01-2005 at 05:43 PM.
 
Old 04-01-2005, 05:53 PM   #9
houler
Member
 
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166

Original Poster
Rep: Reputation: 30
Ok I understand. Thanks for your help again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chroot and bind rickl Linux - General 2 01-12-2011 02:21 PM
yum Error: NetworkManager conflicts with bind-chroot btb Fedora 1 10-21-2005 03:55 AM
Fedora bind-chroot permissions wrong rhoekstra Linux - Networking 1 08-07-2005 09:47 PM
Bind chroot problem dementiaa Linux - Software 3 12-26-2004 04:14 AM
Bind 9 - Chroot problems Nauseous Linux - Networking 2 11-01-2003 04:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration