Is chroot really necessary?

[Kevin Darcy]

Bush, Stephen wrote:

> Hi,
>
> I've been trying to get bind working correctly in a chrooted environment and
> tried just about every way, from the simple to the insane!  Does anyone
> think it is absolutely essential to run bind chrooted, or is this a
> technique directed to the Unix past rather than the present?  My dns servers
> are dedicated to doing that - no other web services are running.

Translation: is improved security really necessary?

chroot()'ing your nameserver, especially in conjunction with running it
unprivileged, gives you a significant amount of protection against certain
kinds of attacks, although not *perfect* protection. Whether this level of
protection is worth the time and effort involved in setting it up and
maintaining it, is a regular cost-versus-risk comparison that every
organization will have to make based on their own circumstances. It might even
depend on individual machine. My first prioirity for setting up chroot()'ed
named, for instance, was our Internet firewalls. Other, strictly-internal boxes
which don't run anything particularly security-intensive (e.g. employee
information websites) are/were further down the priority list.

I'm curious what problems you've had trying to implement chroot()'ed named.
Having chroot()'ed other stuff before (e.g. anon FTP and whatnot), it all
seemed rather straightforward to me...


- Kevin