7.8.1 Problem
You want to run a name server in a chroot( ) jail, so that a hacker successfully breaking in through the named process has limited access to the host's filesystem.
7.8.2 Solution
Set up an environment for the name server to chroot( ) into, then use named's -t command-line option to specify the name of the directory to chroot( ) to.
A BIND 9 chroot( ) environment, on most Unix systems, should include:
On my FreeBSD system, here's how I set up the chroot( ) environment:
# mkdir /etc/namedb # cd /etc/namedb # mkdir -p dev etc/namedb var/run etc/namedb is the working directory # cp /etc/localtime etc # mknod dev/random c 2 3 # mknod dev/zero c 2 12 # vi etc/named.conf
To create the log device, I added the command-line option -a /etc/namedb/dev/log to the startup of the syslog daemon. This tells syslogd to create an extra log device with the specified path (in the chroot( ) environment) and listen on it for logged messages.
Piece of cake!
Once you've set up the chroot( ) environment, start named with the -t command-line option, specifying the directory to chroot( ) to as the option's argument. The first time you do it, check named's syslog output for any startup errors caused by missing files or directories. Once named starts cleanly in the chroot( ) environment, add the -t option to your system's startup scripts.
7.8.3 Discussion
When running a name server in a chroot( ) environment, be sure to run as a non-root user, too. On many operating systems, a hacker gaining access to a process as root can break out of a chroot( ) jail. See Section 7.9 for instructions on running named as a non-root user.
BIND 8 name servers require a considerably more complicated chroot( ) environment, including a passwd file, shared libraries (unless you build BIND statically linked), and various device files, which is a good reason to recommend using BIND 9 in a chroot( )d setup. If you insist on running a BIND 8 name server chroot( )ed, see "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND for instructions.
You can simplify the chroot( ) environment slightly by using the pid-file options substatement to tell named to create the PID file with a different pathname. For example, to create the PID file in the name server's working directory, use:
options { directory "/var/named"; pid-file "named.pid"; };
In fact, unless you use dynamically updated zones with DNSSEC, you can do without dev/random in the chroot( ) environment, too. But then you'll have to put up with named logging an error each time it starts.
7.8.4 See Also
Section 1.21 for editing startup scripts, Section 7.9 for running BIND as a user other than root, and "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND.
Getting Started
Zone Data
BIND Name Server Configuration
Electronic Mail
BIND Name Server Operations
Delegation and Registration
Security
Interoperability and Upgrading
Resolvers and Programming
Logging and Troubleshooting
IPv6