Customizing for Chrooted Environments


Before you even start trying to customize chrooted environments, you should set up a working named configuration. This kind of setup complicates things, so you should have a complete, working set of DNS database files and configurations before attempting this.

Chroot is a UNIX security mechanism that insulates the software that is chrooted from the rest of the filesystem. This ensures that even if the software proves to be insecure, a break-in will not compromise more than the insecure software and the other contents of the chroot jail; the rest of the system is protected. You can read more about chroot in your OS man pages chroot(1) and chroot(2). Its use is also the subject of programming and security texts on UNIX.

BIND's -t option is used to activate this feature.

Many ways are available to set this up; you can choose one based simply on personal preference. On the one hand, you can wrap the needed programs in shell scripts that set up everything correctly. On the other hand, you can patch the source code of selected pieces of software to make them do the correct thing themselves. Writing scripts has the disadvantage of the scripts being overwritten each time you reinstall BIND, whereas patching the source code has the disadvantage of tampering with the source. In addition, if you do this manually, you might create problems each time you reinstall BIND. One good argument, though, for modifying the source as well is the fact that you only have to modify the source before compilation. After it's installed, the software will work as needed without further modifications; the modifications are localized to the pre-install-phase. In both cases, you should automate the modification process as far as you can to decrease the likelihood of mistakes.

I like to avoid modifying source code, as well as OS scripts. OSes such as Solaris 2 have a rather monolithic network startup script. If you modify it, you risk the patching of your OS failing. Afterwards, the machine might not boot correctly before you manually intervene and fix the glitch.

I prefer to write shell wrappers for the important pieces and leave the source and the OS scripts alone. This is explained in the following section.

The Chroot Environment

You first must set up the chroot environment so BIND can live in it. As of this writing, it is considered an experimental feature, although it works well. Because it is still experimental, things might have changed by the time you read this. If the requirements described here are not enough to make it work, refer to the INSTALL document that came with your BIND distribution. Follow these steps:

  1. Decide where you want the chroot environment (I prefer /var/bind-chroot). Then, create a directory hierarchy under there. The following hierarchy is a "mini" hierarchy to keep the paths short, but you can install a hierarchy that completely mirrors the hierarchy used by named by default:

    Path Use
    var/run pid, log, and control files go here.
    var/names Named databases.
    etc named.conf.
    sbin Copy named-xferhere.
    dev named needs /dev/null.
      Create it with /dev/MAKEDEV or copy it with cp or tar.

  2. Next, you must install a configuration file. It should be a normal configuration file, except for two things. The communication mechanism to communicate with syslogd resides in /dev above the chroot environment. Thus, it is unavailable. It also can't be transplanted to the chroot environment. Because BIND likes to use the syslog facility, you must override the default logging. Enter, as a minimum, the following logging configuration at the top of your named.conf file:

     logging {         channel the_log {                 file "/var/run/named.log" versions 20 size 1m;                 print-time yes;                 print-category yes;                 print-severity yes;         };         category default { the_log; };         category panic { the_log; };         category packet { the_log; };         category event lib { the_log; }; }; 

    This replaces the default logging configuration with your own. If you enter it at the bottom of your named.conf file, logging will not work until BIND parses it, after loading the zone files. You probably want to see any errors that occur while loading the zones, so this is not a good idea.

  3. Next, you need to override the location of named-xfer because it probably doesn't match your default location. Enter the following line in the options section of the configuration file:

     named-xfer "/sbin/named-xfer"; 
  4. Copy all your database files into /var/bind-chroot/var/named.

  5. Start named with the following command:

     named -t /var/bind-chroot 
  6. Check the logs to see whether everything executed correctly. If it did, check it with dig or nslookup as well. If not, debug it. Refer to the named man page for information about debugging named.

The Scripts

After you have a working chroot environment, you can begin to write the scripts to fit everything together. They are easy to write.

named

You should replace named first. Copy named to named.bin, in the same directory, and then save this script as named:

 #!/bin/sh exec "$0".bin -t /var/bind-chroot "$@" 

The previous code starts named.bin with the correct chroot option. Make it executable and then try it to see whether it works. Then try to create queries.

ndc

The other program you must fix is ndc. Move it to ndc.bin and replace it with the following script:

 #!/bin/sh exec "$0".bin -c /var/bind-chroot/var/run/ndc \     -p /var/bind-chroot/var/run/named.pid "$@" 

The trick here is to tell it of the nonstandard control-connection and pid-file location with the -c and -p options. Also make it executable and verify that you can stop, start reload, and restart your chrooted named.

Now, remember that every time you install BIND anew, it will overwrite the shell scripts with the binaries from the BIND distribution, and the previous procedure needs to be repeated. It is a good idea to write an automatic procedure for it, or at least document it.



The Concise Guide to DNS and BIND
The Concise Guide to DNS and BIND
ISBN: 0789722739
EAN: 2147483647
Year: 1999
Pages: 183

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net