Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-31-2005, 07:53 PM
|
#1
|
Member
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166
Rep:
|
Chroot bind 9.3.0 in slackware 10 - noobie
just set-up my own domain server, and I want to run bind with a non-root user.
anyone have any instructions or explanations on how to do this?
I read a bunch of documentation on how to chroot bind 9, I can apply most of the commands to execute, but there are some difference which I can't apply to slackware 10.
a how-to I followed:
hxxp://mirrors.evrocom.net/slackware/slackware-8.0/docs/Linux-HOWTO/Chroot-BIND-HOWTO
- I got stuck in the 2.5.1 (syslog) part, when I went to the /chroot/named/dev, I got "log=" instead of "log", and it wasn't logging anything (i would stop named, and re-run named)
- I also got stuck in the 3.1 part about "modifying paths". There was no "src/port/linux/Makefile.set" in my distro, I also went to "/usr/src/linux/makefile" to check if maybe that was the file to modify, but I didn't see "DESTRUN=/var/run" or the like anywhere
So in actuality I couldn't proceed further than 2.5.1 and beyond because of the major differences in content between the instructions and my distro. I'm guessing the doc isn't up to date.
Any help is appreciated
|
|
|
04-01-2005, 12:52 AM
|
#2
|
Member
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561
Rep:
|
The easiest way is to use bind's built-in chroot features. I'm not sure when it was added, but it is present in BIND 9.2.3. You do that by adding the "-t" & "-u" options when you start it. On Slackware, you'd just need to modify the startup script at /etc/rc.d/rc.bind. At the top, change the start_bind function to something like this:
Code:
bind_start() {
if [ -x /usr/sbin/named ]; then
echo "Starting BIND: /usr/sbin/named"
/usr/sbin/named -t /chroot/named/ -u named
fi
}
In the above, "/chroot/named" is where bind will be chrooted and "named" is the username it will run as.
There is also some additional steps you'll need to take to set it all up. First, create the user and group:
Code:
groupadd named
useradd -d /var/named -g named -s /bin/false named
Second, you'll need to setup your chroot directory. Assuming, you're using "/chroot/named", just do the following:
Code:
mkdir -p /chroot/named/{dev,etc,var}
Bind will need access to a few devices, so add those:
Code:
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
mknod /chroot/named/dev/zero c 1 5
chmod a+w /chroot/named/dev/*
You'll need to copy /etc/localtime & /etc/named.conf to the jail:
Code:
cp /etc/localtime /chroot/named/etc
cp /etc/named.conf /chroot/named/etc
Then to setup the var directory, do this:
Code:
mkdir -p /chroot/named/var/{log,named,run}
mkdir /chroot/named/var/run/named
chown named:named /chroot/named/var/run/named
chown named:named /chroot/named/var/{log,named}
Now copy your zone files into the chroot jail, I assume you have a working DNS server already:
Code:
cp /var/named/* /chroot/named/var/named
Here's a listing of mine, for reference:
Code:
-rw-r--r-- 1 named named 188 Dec 2 2003 0.0.127.in-addr.arpa.zone
-rw-r--r-- 1 named named 337 Dec 27 00:18 0.168.192.in-addr.arpa.zone
-rw-r--r-- 1 named named 246 Dec 2 2003 XX.XX.XX.in-addr.arpa.zone
-rw-r--r-- 1 named named 810 Dec 28 23:55 mydomain-intern.org.zone
-rw-r--r-- 1 named named 651 Dec 3 00:37 mydomain.org.zone
-rw-r--r-- 1 named named 172 Dec 2 2003 localhost.zone
-rw-r--r-- 1 named named 1501 Dec 2 2003 named.ca
-rw-r--r-- 1 named named 433 Dec 2 2003 named.local
-rw-r--r-- 1 named named 1060791 Dec 2 2003 named.run
Your's will likely be different. I run a split-DNS where the outside world can only see what's in mydomain.org.zone and then I resolve for PCs on my LAN in the separate mydomain-intern.org.zone & reverse DNS files.
About the log issue. What I do is have bind keep it's own log, separate from syslogd. You can do that by adding something like this to your named.conf:
Code:
// Logging options
logging {
channel "bind_log" {
file "/var/log/named.log" versions 5 size 100k;
// Levels in order -- critical | error | warning | notice
// | info | debug [ level ] | dynamic
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default {
"bind_log";
};
};
Also, once you restart bind you can confirm it's running in it's jail by looking at it's root in /proc.
Code:
root@gateway:~# ls -l /proc/`pidof named`/root
lrwxrwxrwx 1 root root 0 Apr 1 00:40 /proc/2484/root -> /chroot/named/
BTW, I'm running BIND 9.2.3 under Slackware 10, so this setup should work fine for you as well. There is a detailed BIND manual in PDF format floating around somewhere, but I can't locate it at the moment. That document will help a great deal when setting BIND. If I find it, I'll post the link. I think that's it, good luck.
|
|
|
04-01-2005, 01:12 AM
|
#3
|
Member
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561
Rep:
|
The manual I'm refering to is called the BIND 9 Administrator Reference Manual and it's distributed with bind in html format. You can find it on Slackware 10 at /usr/doc/bind-9.2.3/arm. Multiple versions of it are available online in html format at http://www.bind9.net/manuals. The PDF version use to be on the developer's website at http://www.isc.org/index.pl?/sw/bind/ but I don't see it there now. You can find at various places online though.
|
|
|
04-01-2005, 01:25 PM
|
#4
|
Member
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166
Original Poster
Rep:
|
omg thank you for the detailed explanation and instruction. I seriously appreciate your help.
I can't seem to get it running after i've gong through your instructions.
i have a question:
When you tell me to edit the named.conf file in this tutorial, which named.conf do you want me to edit, the once in the chroot dir or the "out from" the chroot dir?
I edited both and it still doesn't work.
I did a ./rc.bind start, then I did a ./rc.bind stop and it gives me this message:
"named: no prcess killed"
---EDIT---
named works, when i just run it normally without the switches in the rc.bind file
also
when i run /usr/local/sbin/named -t /chroot/named/, it works
but when i use the -u named switch, it doesn't work
maybe it's a permission thing?
---EDIT---
ok, I changed the ownership of all the contents in /chroot/named/ to "named" and now the full command "/usr/local/sbin/named -t /chroot/named/ -u named"works. Is this OK?
Last edited by houler; 04-01-2005 at 04:01 PM.
|
|
|
04-01-2005, 04:02 PM
|
#5
|
Member
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166
Original Poster
Rep:
|
---EDIT---
Now another problem arises:
I can't get that logging thing to work. I copied it exactly as you typed it out on both named.conf files, and now named won't run.
|
|
|
04-01-2005, 04:25 PM
|
#6
|
Member
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561
Rep:
|
Ok, make sure you didn't already have a "logging" section in your named.conf file, and now have 2. Also make sure there isn't a typo somewhere, like a missing brace, semi-colon, and etc. And check the logs for any errors, namely /var/log/messages, to see if you can identify the problem. If that's no help, try tracing it with strace. Otherwise, edit out anything revealing like your IPs, rndc key, and etc and post your named.conf.
Also, when running bind in this manner, you will not need the /etc/named.conf file at all anymore. You'd instead need /chroot/named/etc/named.conf which to bind is /etc/named.conf since the only files bind can see or access are those located within the chroot jail. In other words, named will switch to the chroot jail and to user "named" prior to accessing named.conf. However, until you get all the kinks worked out, I'd leave the default "known-working" setup intact as-is and only edit files within the chroot jail if needed.
As far as permissions go, probably the easiest way for me to show you what works for me, is to simply list them as they are on my system, so here goes:
Code:
root@gateway:/chroot# ls -l
total 1180
drwxr-xr-x 10 root sys 4096 Sep 27 2004 httpd/
drwxr-xr-x 7 root sys 4096 Sep 20 2004 mysql/
drwxr-xr-x 5 root root 4096 Dec 2 2003 named/
Code:
root@gateway:/chroot/named# ls -lR
.:
total 12
drwxr-xr-x 2 root root 4096 Dec 2 2003 dev/
drwxr-xr-x 2 root root 4096 Apr 1 00:40 etc/
drwxr-xr-x 5 root root 4096 Dec 2 2003 var/
./dev:
total 0
crw-rw-rw- 1 root root 1, 3 Dec 2 2003 null
crw-rw-rw- 1 root root 1, 8 Dec 2 2003 random
crw-rw-rw- 1 root root 1, 5 Dec 2 2003 zero
./etc:
total 20
-rw-r--r-- 1 root root 1279 Dec 2 2003 localtime
-rw-r--r-- 1 root root 4080 Jan 1 01:34 named.conf
./var:
total 12
drwxr-xr-x 2 named named 4096 Jul 4 2004 log/
drwxr-xr-x 2 named named 4096 Feb 12 01:09 named/
drwxr-xr-x 3 root root 4096 Dec 2 2003 run/
./var/log:
total 1372
-rw-r--r-- 1 named named 80294 Apr 1 16:03 named.log
-rw-r--r-- 1 named named 1310886 Jul 4 2004 named.log.0
./var/named:
total 1104
-rw-r--r-- 1 named named 188 Dec 2 2003 0.0.127.in-addr.arpa.zone
-rw-r--r-- 1 named named 337 Dec 27 00:18 0.168.192.in-addr.arpa.zone
-rw-r--r-- 1 named named 246 Dec 2 2003 xx.xx.xx.in-addr.arpa.zone
-rw-r--r-- 1 named named 810 Dec 28 23:55 mydomain-intern.org.zone
-rw-r--r-- 1 named named 651 Dec 3 00:37 mydomain.org.zone
-rw-r--r-- 1 named named 172 Dec 2 2003 localhost.zone
-rw-r--r-- 1 named named 1501 Dec 2 2003 named.ca
-rw-r--r-- 1 named named 433 Dec 2 2003 named.local
-rw-r--r-- 1 named named 1060791 Dec 2 2003 named.run
./var/run:
total 4
drwxr-xr-x 2 named named 4096 Apr 1 16:03 named/
./var/run/named:
total 4
-rw-r--r-- 1 named named 6 Apr 1 16:03 named.pid
So essentially, the only directories owned by the user "named" are /chroot/named/var/log, /chroot/named/var/named, and /chroot/named/var/run/named, and the files within them. Those are the only ones named needs write access to. And technically, if you're using static zone files, named doesn't need write access or ownership to the zone files either. If you were using a dynamic DNS setup, then named would need write access to /chroot/named/var/named in order to write the updates.
|
|
|
04-01-2005, 04:41 PM
|
#7
|
Member
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166
Original Poster
Rep:
|
Yeah I made a typo. haha. Thanks for the help again, I appreciate it. It all works now.
Is it a security risk to change owner for /chroot/named to "named"? cuz that's what i did.
EDIT-- fixed typo
Last edited by houler; 04-01-2005 at 05:06 PM.
|
|
|
04-01-2005, 05:41 PM
|
#8
|
Member
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561
Rep:
|
Well technically, I'd say yes. Keep in mind that I'm not, nor do I claim to be, a security specialist, but there are several in this forum. But yeah, as a general rule from a security standpoint, you only want to allow whatever access is required to complete the task. In this case, bind needs only read access to most of it and write access only to the directories where it will create it's logs, pid file and etc. Additionally, you could get really paranoid and set the immutable bit on your zone files and named.conf. ie:
Code:
chattr +i /chroot/named/etc/named.conf
That way even if someone gains access through bind and manages to somehow get root, they still can't edit the files. Anyway, just depends on how far you want to take it and since you went to the trouble of chrooting it to begin with, you may as well get it as tight as possible.
Last edited by DaHammer; 04-01-2005 at 05:43 PM.
|
|
|
04-01-2005, 05:53 PM
|
#9
|
Member
Registered: Mar 2005
Distribution: Slackware 10.1, Kernel 2.6.14.4 (custom)
Posts: 166
Original Poster
Rep:
|
Ok I understand. Thanks for your help again.
|
|
|
All times are GMT -5. The time now is 06:12 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|