Setting up chroot on Solaris 9 with BIND 9 -t switch
Bill Larson
bind9 at comcast.net
Fri Jan 7 01:47:57 UTC 2005
On Jan 5, 2005, at 9:02 PM, CERNINO CERNINO wrote:
> But i have a question, what gain with jailed the process?
> & if you kown then how can i jailed a user to only see a carpet as his
> root,
> to then put the process & its dependecies into, as a new politic of
> security
> for the user.
> can i do a user that cant get out of a carpet in other words, jailed
> in a
> carpet as his home directory?
Think of similar questions, "why have passwords", "why use a firewall",
"why worry about security"? The simple answer is that you need to
protect your system from attackers.
"chroot", not just for BIND but in general, protects your server from
an increase risk of compromise when your system is attacked through the
process that is running in the chroot environment. "chroot" limits the
scope of what can be seen on the system to the "chroot" environment and
makes the rest of your system, such as your passwd file, off limits.
There is another side of running a BIND DNS server in a "secure"
environment. This is to run "named" as an unprivileged user. This is
simply to further limit the amount of damage an attacker can perform
when the process is broken out of. When the process is broken, the
attacker will have the same privileges as the process had. If the
process was running as "root", then the attacker will then have "root"
access to the system. If the process is not running as "root", then
the attacker will be limited to whatever the the process as. In the
case of "named", the attacker would be limited to trashing the files
and directories that the "named" process can write to. But, the
attacker will be unable to compromise the system further because they
still lack the ability to write to anything else. (If the "named"
process logs to "syslog", then the attacker can also write to the
"syslogd" process and now you have to worry if the syslogd process can
be compromised! The security aspects simply cascade.)
From the BIND-ARM the following statement is made: "We suggest running
as an unprivileged user when using the chroot feature." The authors of
BIND recognize the additional security provided by running "named" in a
chroot environment with the "-t" option, and also the desire to further
protect the system by limiting the access available by running as an
unprivileged user using the "-u" option.
For further information about running "named" in a secure fashion,
please refer to "The Secure BIND Template" at
http://www.cymru.com/Documents/secure-bind-template.html. This also
identifies a also a good procedure to configure a chroot environment
for "named" when running under Solaris, FreeBSD, and Linux.
Further information about "chroot" in general can be found at:
http://www.unixwiz.net/techtips/chroot-practices.html
http://www.l0t3k.org/security/docs/chrooting/
http://www.nuclearelephant.com/papers/chroot.html
http://www.linuxsecurity.com/content/view/117632/49/
http://www.onlamp.com/pub/a/bsd/2003/01/23/chroot.html
http://www.bpfh.net/simes/computing/chroot-break.html
The last reference is "Breaking out of a chroot() padded cell" and
simply discusses the consequences of the failure of running a process
in a chroot environment and why the protected process shouldn't be run
as the "root" user. I particularly like this document.
Security is not a single thing. One aspect of security in "protection
in depth", having multiple security layers that need to be broken in
sequence before the system is completely compromised. Software
development with an eye for security is one layer. Using good
passwords is another security layer. Running the application in a
chroot environment is still another. Running in a chroot environment
is an inexpensive way to provide an additional layer of security to
running a process that is accessible over the Internet. BIND is not
the only application that does this. Apache is another network process
which used a chroot environment to protect itself.
Now, as to your other implied question, "how do I test named running in
a chroot environment", I really don't have a good answer. The only way
that I can think of is to break out of the "named" process in some
manner, such as with a buffer overflow attack, and see what will
happen. I'm not that good, and if you succeed then you should inform
the BIND developers of your exploit and they can protect the process
even further.
Bill Larson
More information about the bind-users
mailing list