7.8 Running a
Server in a chroot( ) Jail
You want to run a name server in a
jail, so that a hacker successfully breaking in through the
process has limited access to the host's filesystem.
Set up an environment for the name server to
into, then use
command-line option to specify the name of the directory to
A BIND 9
environment, on most Unix systems, should include:
A working directory for the name server (which can be the
subdirectory, which includes
subdirectory for the name server's PID file
subdirectory, which may need to include the
On my FreeBSD system, here's how I set up the
# mkdir /etc/namedb
# cd /etc/namedb
# mkdir -p dev etc/namedb var/run etc/namedb is the working directory
# cp /etc/localtime etc
# mknod dev/random c 2 3
# mknod dev/zero c 2 12
# vi etc/named.conf
To create the
device, I added the command-line option -
to the startup of the
to create an extra
device with the specified
environment) and listen on it for logged messages.
Piece of cake!
Once you've set up the
with the -
command-line option, specifying the directory to
to as the option's argument. The first time you do it, check
output for any startup errors caused by missing files or directories. Once
starts cleanly in the
environment, add the -
option to your system's startup scripts.
When running a name server in a
environment, be sure to run as a non-root
, too. On many operating systems, a hacker gaining access to a process as root can break out of a
jail. See Section 7.9 for instructions on running
as a non-root user.
BIND 8 name servers require a considerably more complicated
environment, including a
file, shared libraries (unless you build BIND statically linked), and various device files, which is a good reason to recommend using BIND 9 in a
setup. If you insist on running a BIND 8 name server
ed, see "Running BIND with Least Privilege" in Chapter 11 of
DNS and BIND
You can simplify the
environment slightly by using the
substatement to tell
to create the PID file with a different pathname. For example, to create the PID file in the name server's working directory, use:
In fact, unless you use dynamically updated zones with DNSSEC, you can do without
environment, too. But then you'll have to put up with
logging an error each time it starts.
7.8.4 See Also
Section 1.21 for editing startup scripts, Section 7.9 for running BIND as a user other than root, and "Running BIND with Least Privilege" in Chapter 11 of
DNS and BIND.