This site is now 100% read-only, and retired.

XML Logo

Posted by kroshka on Thu 12 Apr 2007 at 21:07
Tags: , , ,
This article will explain how to create a chroot jail for bind8. This effectively makes bind obliviuos to the rest of the (file)system beyond it's chroot directory tree. Therefore security will be increased, because if bind due to some crack attempt allows shell access one can not go beyond the chroot environment.

(Quoting bind howto):
"The idea behind chroot is fairly simple. When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this document, we'll set BIND up to run chrooted to the directory /chroot/named. Well, to BIND, the contents of this directory will appear to be /, the root directory. Nothing outside this directory will be accessible to it. You've probably encounted a chroot jail before, if you've ever ftped into a public system."

"The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user."

The reason for compiling bind from source is because you need to change a few things in the makefiles so it will work. As an added benefit you get the most recent security and bug fixes.

This howto is an adaptation specifically for Debian of the one here:
In this case Debian sarge, but it should work on Etch and upwards. Please note this is specifically for bind8, it may work for bind9 with some adaptation. See:

On the server, become root and execute all these commands:

echo 'named:x:200:200:Nameserver:/chroot/named:/bin/false' >> /etc/passwd
echo 'named:x:200:' >> /etc/group
mkdir /chroot
mkdir /chroot/named
mkdir /chroot/named/bin
mkdir /chroot/named/dev
mkdir /chroot/named/etc
mkdir /chroot/named/lib
mkdir /chroot/named/var
mkdir /chroot/named/var/cache
mkdir /chroot/named/var/run
cp -pr /etc/bind/ /chroot/named/etc/
cd /chroot/named/etc
ln -s bind/named.conf .
cp -pr /var/cache/bind /chroot/named/var/cache/
chown -R named:named /chroot/named/var/cache/
chown named:named /chroot/named/var/run
cd /chroot/named/lib
cp -p /lib/libc-2.*.so .
ln -s libc-2.*.so
cp -p /lib/ld-2.*.so .
ln -s ld-2.*.so
cp /sbin/ldconfig /chroot/named/bin/
chroot /chroot/named /bin/ldconfig -v
mknod /chroot/named/dev/null c 1 3
cp /etc/localtime /chroot/named/etc/
echo 'named:x:200:' > /chroot/named/etc/group

Edit sysklogd:

vim /etc/init.d/sysklogd
  Change SYSLOGD="" into SYSLOGD="-a /chroot/named/dev/log"

Restart sysklogd:

/etc/init.d/sysklogd restart
Get bind:

Untar tarball

Edit Makefile.set:

vim src/port/linux/Makefile.set
  Change DESTRUN=/var/run to DESTRUN=/chroot/named/var/run
You also might like to change pathnames to /usr/local
Edit named.h:
vim src/bin/named/named.h
  Add #define _PATH_NDCSOCK "/var/run/ndc" right after #include "pathnames.h"


cd src
make clean;make depend;make
cp bin/named/named /chroot/named/bin
cp bin/named-xfer/named-xfer /chroot/named/bin

To install, first remove bind and dnsutils:

apt-get remove bind
apt-get remove dnsutils


make install

To prevent non chroot named being run do (use /usr/sbin/named if you didn't change the paths in Makefile.set):

chmod 000 /usr/local/sbin/named

Edit /etc/init.d/bind:

vim /etc/init.d/bind
  Change OPTIONS="" to OPTIONS="-u named -g named -t /chroot/named"
  Change each occurance of --pidfile /var/run/ to --pidfile /chroot/named/var/run/
  Change paths to named this way /chroot/named/bin/named as opposed to /usr/sbin/named

  And if you changed /usr/xxx to /usr/local/xxx in Makefile.set:
    Change test -x /usr/sbin/ndc || exit 0 to test -x /usr/local/sbin/ndc || exit 0
    Change /usr/sbin/ndc reload to /usr/local/sbin/ndc reload

Edit named.config.options:

vim /chroot/named/etc/bind/named.conf.options
  Add this pid-file "/var/run/"; and named-xfer "/bin/named-xfer";
/etc/init.d/bind restart
Check /var/run/log/deamon.log or something to see if all went well...
And enjoy...