The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:
The named binary program must be in a directory listed within your PATH environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program is /usr/sbin/named.
We must find the shared library dependencies of named, named is the DNS daemon. These will need to be copied into the chroot jail later.
Now we must set up the chroot environment, and create the root directory of the jail. We've chosen /chroot/named because we want to put this on its own separate file system to prevent file system attacks. Early in our Linux installation procedure we created a special partition /chroot for this purpose.
- To find the shared library dependencies of named, execute the following command:
[root@deep] /# ldd /usr/sbin/named libc.so.6 => /lib/libc.so.6 (0x40017000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
- Make a note of the files listed above; you will need these later in our steps.
Copy the shared libraries identified above to the chrooted lib directory:
Shutting down named: [ OK ]
[root@deep] /# mkdir -p /chroot/named
- Next, create the rest of directories as follows:
[root@deep] /# mkdir /chroot/named/dev [root@deep] /# mkdir /chroot/named/lib [root@deep] /# mkdir /chroot/named/etc [root@deep] /# mkdir -p /chroot/named/usr/sbin [root@deep] /# mkdir -p /chroot/named/var/run [root@deep] /# mkdir /chroot/named/var/named
- Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory:
[root@deep] /# cp /etc/named.conf /chroot/named/etc/ [root@deep] /# cd /var/named ; cp -a . /chroot/named/var/named/ [root@deep] /# mknod /chroot/named/dev/null c 1 3 [root@deep] /# chmod 666 /chroot/named/dev/null [root@deep] /# cp /usr/sbin/named /chroot/named/usr/sbin/ [root@deep] /# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/
: The owner of the /chroot/named/var/named directory and all files in this directory must be the process name named under the slave server and only the slave server or you wouldn't be able to make a zone transfer.
- To make the named directory and all its files own by the named process name under the slave server, use the command:
[root@deep] /# chown -R named.named /chroot/named/var/named/
[root@deep] /# cp /lib/libc.so.6 /chroot/named/lib/ [root@deep] /# cp /lib/ld-linux.so.2 /chroot/named/lib/
[root@deep] /# cp /etc/localtime /chroot/named/etc/ [root@deep] /# cp /etc/nsswitch.conf /chroot/named/etc/
Add a new UID and a new GID for running the daemon named if this is not already set. This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources. Check the /etc/passwd and /etc/group files for a free UID/GID number available. In our example we'll use the number 53 and the name named.
- Set the immutable bit on nsswitch.conf file:
[root@deep] /# cd /chroot/named/etc/ [root@deep etc]# chattr +i nsswitch.conf
- Set the immutable bit on named.conf file:
[root@deep] /# cd /chroot/named/etc/ [root@deep etc]# chattr +i named.conf
[root@deep] /#useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || :