Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




21.6. Run ISC BIND/DNS in a chroot jail

The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.

Important: The named binary program must be in a directory listed within your PATH environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program is /usr/sbin/named.

The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:

We must find the shared library dependencies of named, named is the DNS daemon. These will need to be copied into the chroot jail later.

  1. To find the shared library dependencies of named, execute the following command:
     [root@deep] /# ldd /usr/sbin/named => /lib/ (0x40017000)
     /lib/ => /lib/ (0x40000000) 

  2. Make a note of the files listed above; you will need these later in our steps.

Now we must set up the chroot environment, and create the root directory of the jail. We've chosen /chroot/named because we want to put this on its own separate file system to prevent file system attacks. Early in our Linux installation procedure we created a special partition /chroot for this purpose.

  1.      [root@deep] /# /etc/rc.d/init.d/named stop (1) 

    Require only if an existing named daemon is running.
 Shutting down named:                              [  OK  ]
     [root@deep] /# mkdir -p /chroot/named

  2. Next, create the rest of directories as follows:
     [root@deep] /# mkdir /chroot/named/dev
     [root@deep] /# mkdir /chroot/named/lib
     [root@deep] /# mkdir /chroot/named/etc
     [root@deep] /# mkdir -p /chroot/named/usr/sbin
     [root@deep] /# mkdir -p /chroot/named/var/run
     [root@deep] /# mkdir /chroot/named/var/named

  3. Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory:
     [root@deep] /# cp /etc/named.conf /chroot/named/etc/
     [root@deep] /# cd /var/named ; cp -a . /chroot/named/var/named/
     [root@deep] /# mknod /chroot/named/dev/null c 1 3
     [root@deep] /# chmod 666 /chroot/named/dev/null
     [root@deep] /# cp /usr/sbin/named /chroot/named/usr/sbin/
     [root@deep] /# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/

    Important: The owner of the /chroot/named/var/named directory and all files in this directory must be the process name named under the slave server and only the slave server or you wouldn't be able to make a zone transfer.

  4. To make the named directory and all its files own by the named process name under the slave server, use the command:
     [root@deep] /# chown -R named.named /chroot/named/var/named/

Copy the shared libraries identified above to the chrooted lib directory:
 [root@deep] /# cp /lib/ /chroot/named/lib/
 [root@deep] /# cp /lib/ /chroot/named/lib/

Copy the localtime and nsswitch.conf files to the chrooted etc directory so that log entries are adjusted for your local timezone properly:
 [root@deep] /# cp /etc/localtime /chroot/named/etc/
 [root@deep] /# cp /etc/nsswitch.conf /chroot/named/etc/

We must set some files under the /chroot/named/etc directory with the immutable bit enabled for better security:

  1. Set the immutable bit on nsswitch.conf file:
     [root@deep] /# cd /chroot/named/etc/
     [root@deep etc]# chattr  +i nsswitch.conf

  2. Set the immutable bit on named.conf file:
     [root@deep] /# cd /chroot/named/etc/
     [root@deep etc]# chattr  +i named.conf
    A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.

Add a new UID and a new GID for running the daemon named if this is not already set. This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources. Check the /etc/passwd and /etc/group files for a free UID/GID number available. In our example we'll use the number 53 and the name named.
 [root@deep] /#useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || :

  Published under the terms of the Open Publication License Design by Interspire