chrooting bind

Kevin Darcy kcd at daimlerchrysler.com
Wed Aug 15 22:31:40 UTC 2001 

Barry Margolin wrote:

> In article <9leria$1rt at pub3.rc.vix.com>,
> Christopher L. Barnard <cbar44 at tsg.cbot.com> wrote:
> >
> >Kevin Darcy responded:
> >
> >> Why are you using /usr/sbin/chroot to chroot named instead of named's
> >> built-in chroot mechanism (-t)?
> >> The way you're doing it, you need to populate the chroot jail with all sorts
> >> of crap. The lack of some library or device node or whatever is probably
> >> what is causing the startup to fail.
> >
> >Because using named's built in -t flag means that the daemon starts in a
> >non-chrooted setup, and then once it is going it looks to the chrooted area
> >for the zone files, etc.  By starting the daemon already in the chrooted jail,
> >if someone by some preposterous chance is able to break in through the name
> >daemon itself, there is No Way (tm) he or she could see the rest of the
> >system.
> >
> >Yes, I am being overly, excessively, and absurdly cautious.
>
> I think you misunderstand how chroot works.  Once you're in the jail,
> you're trapped in it.  It doesn't matter whether you locked yourself in or
> were born there.  You still can't see the rest of the system.

I think what Christopher means is that if there is some sort of vulnerability in
named in the code which it executes *before* it chroot's, then that would be a
window of opportunity for hacking.

But, even so, I'm pretty sure named doesn't listen for any queries until it's
fully chroot'ed, so such a vulnerability would not be remotely exploitable. And it
is running as superuser during this stage of the process, regardless of whether
you use the built-in chroot or not. As we all know, it's not that hard for
superuser to break out of a chroot jail -- if there's a vulnerability in that part
of the code, you're screwed either way. So I don't think "externally" chroot'ing
buys any security, and I'd be far more worried about the vulnerabilities
introduced by having named rely on libraries and device nodes in the chroot jail.
Not to mention, of course, that it's a pain in the ass to populate the chroot jail
with all of that junk (as DJB never tires of reminding us).


- Kevin

More information about the bind-users mailing list