Is chroot really necessary?
Brad Knowles
brad.knowles at skynet.be
Thu May 17 15:35:17 UTC 2001
At 4:16 PM +0100 5/17/01, Bush, Stephen wrote:
> I've been trying to get bind working correctly in a chrooted environment and
> tried just about every way, from the simple to the insane! Does anyone
> think it is absolutely essential to run bind chrooted, or is this a
> technique directed to the Unix past rather than the present? My dns servers
> are dedicated to doing that - no other web services are running.
No, it's not strictly necessary. However, there are always more
and more ingenious attacks being devised and directed against
machines these days, and any server running as root is a potentially
easy path towards compromising the whole machine -- especially if
"rootkits" are developed and handed over to the "skript kiddies".
In that case, a single person could compromise the security of
hundreds, thousands, tens of thousands, hundreds of thousands, or
possibly even millions of machines all around the world, in just a
few seconds, and with the push of a single button. Trust me, you do
not want to be in this kind of situation.
Therefore, although BIND version 9 is much more secure than
previous major releases, and every possible effort is taken to try to
ensure that the program cannot be compromised, it is still a good
idea to run the program in a chroot() environment, as an added layer
of security.
It may still be possible for the attacker to break out of a
chroot() environment, but this tends to be more difficult and require
a level of expertise that "skript kiddies" do not tend to have, and
is difficult to program into a "rootkit".
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list