The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
The named binary program must be in a directory listed within your PATH
environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program
is /usr/sbin/named
.
The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:
We must find the shared library dependencies of named, named is the DNS daemon. These will need to be copied into the chroot jail later.
To find the shared library dependencies of named, execute the following command:
[root@deep] /# ldd /usr/sbin/named
libc.so.6 => /lib/libc.so.6 (0x40017000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Make a note of the files listed above; you will need these later in our steps.
Now we must set up the chroot environment, and create the root directory of the jail. We've chosen /chroot/named
because we want to put this on its own separate file system to prevent file system attacks. Early
in our Linux installation procedure we created a special partition /chroot
for this purpose.
[root@deep] /# /etc/rc.d/init.d/named stop
Shutting down named: [ OK ]
[root@deep] /# mkdir -p /chroot/named
Next, create the rest of directories as follows:
[root@deep] /# mkdir /chroot/named/dev [root@deep] /# mkdir /chroot/named/lib [root@deep] /# mkdir /chroot/named/etc [root@deep] /# mkdir -p /chroot/named/usr/sbin [root@deep] /# mkdir -p /chroot/named/var/run [root@deep] /# mkdir /chroot/named/var/named
Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory:
[root@deep] /# cp /etc/named.conf /chroot/named/etc/ [root@deep] /# cd /var/named ; cp -a . /chroot/named/var/named/ [root@deep] /# mknod /chroot/named/dev/null c 1 3 [root@deep] /# chmod 666 /chroot/named/dev/null [root@deep] /# cp /usr/sbin/named /chroot/named/usr/sbin/ [root@deep] /# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/
The owner of the /chroot/named/var/named
directory and all files in this directory must be the process name named under the slave
server and only
the slave
server or you wouldn't be able to make a zone
transfer.
To make the named
directory and all its files own by the named process name under the slave
server, use the command:
[root@deep] /# chown -R named.named /chroot/named/var/named/
Copy the shared libraries identified above to the chrooted lib directory:
[root@deep] /# cp /lib/libc.so.6 /chroot/named/lib/ [root@deep] /# cp /lib/ld-linux.so.2 /chroot/named/lib/
Copy the localtime
and nsswitch.conf
files to the chrooted etc
directory so that log entries are adjusted for your local
timezone properly:
[root@deep] /# cp /etc/localtime /chroot/named/etc/ [root@deep] /# cp /etc/nsswitch.conf /chroot/named/etc/
We must set some files under the /chroot/named/etc
directory with the immutable bit enabled for better security:
Set the immutable bit on nsswitch.conf
file:
[root@deep] /# cd /chroot/named/etc/ [root@deep etc]# chattr +i nsswitch.conf
Set the immutable bit on named.conf
file:
[root@deep] /# cd /chroot/named/etc/ [root@deep etc]# chattr +i named.conf
A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.
Add a new UID and a new GID for running the daemon named
if this is not already set. This is important because running it as root defeats
the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources.
Check the /etc/passwd
and /etc/group
files for a free UID/GID number available. In our example we'll use the number 53 and the name named.
[root@deep] /#useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || :