Bug 7398

Summary: Run named chroot and non-root
Product: [Retired] Red Hat Linux Reporter: Ash <ash>
Component: bindAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-02-03 16:48:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ash 1999-11-28 20:19:20 UTC
After having recently had to clean up a system that lost root unecissirally
I have the following howto to offer on how to set up named to run as
non-root and chroot'ed so as to minimise the damage the next time we find a
security hole in it.

HOWTO from dszd0g.

1) % make depend

2) edit src/.settings
   Add -static to CC so that it reads: 'CC=gcc -static -D_GNU_SOURCE'

3) edit src/bin/ndc/pathnames.h
   Modify all your pathnames for your chrooted environment and to pass the
   args to named pathnames.h attached.

4) Get it to compile
   % make all
   This will probably change with versions.  I had to edit a couple
   Makefiles and remove -ll from the SYSDEPS line, and for some reason
   some of the Makefiles had SYSTYPE set to bsdos instead of linux.
   After that it compiled fine.

5) Modify named.conf for chrooted environment.
   You will not be able to use syslog since it will no longer
   have access to /dev/log.

logging {
  channel logfile {

    /*
    write to named.log in the working directory
    Note: stderr is used instead of "named.log"
    if the server is started with the -f option.  */
    file "/var/named/log/named" size 50M;
    // Limit maximum size to 50MB, no DoS

    // severity dynamic; // log at the server's current debug level
    severity info; // log info or higher
    print-time yes;
    print-category yes;
  };

  channel default_debug {
    // write to named.run in the working directory
    file "/var/named/log/named.run";
    // Note: stderr is used instead of "named.run"
    // if the server is started with the -f option.
    severity dynamic; // log at the server's current debug level
  };

  category default { logfile; };
  category config { logfile; };
  category parser { null; };
  category queries { logfile; };
  category lame-servers { null; };
  category statistics { logfile; };
  category panic { logfile; default_stderr; };
  category update { logfile; };
  category ncache { logfile; };
  category xfer-in { logfile; };
  category xfer-out { logfile; };
  category db { logfile; };
  category eventlib { logfile; };
  category packet { logfile; };
  category notify { logfile; };
  category cname { logfile; };
  category security { logfile; };
  category os { logfile; };
  category insist { logfile; };
  category maintenance { logfile; };
  category load { logfile; };
  category response-checks { logfile; };
};


options {
  directory "/var/named";
  named-xfer "/var/named/bin/named-xfer";
  dump-file "/var/named/tmp/named_dump.db";
  pid-file "/var/named/tmp/named.pid";
  statistics-file "/var/named/log/named.stats";
  memstatistics-file "/var/named/log/named.memstats";
};

6) Create everything necessary in /var/named hierarcy:

.:
total 42
drwxr-xr-x    2 root     root         1024 Nov 26 20:55 bin
[ db files ]
drwxr-xr-x    2 root     root         1024 Nov 26 19:21 dev
drwxr-xr-x    2 root     root         1024 Nov 26 21:14 etc
drwxr-x---    2 named    named        1024 Nov 26 19:55 log
lrwxrwxrwx    1 root     root            7 Nov 26 21:05 tmp -> var/tmp
drwxr-xr-x    4 root     root         1024 Nov 26 21:56 var


./bin:
total 4909
-r-xr-xr-x    1 root     root      2840700 Nov 26 20:55 named
-r-xr-xr-x    1 root     root      2162458 Nov 26 20:55 named-xfer

./dev:
total 0
crw-rw-rw-    1 root     root       1,   3 Nov 26 19:21 null

./etc:
total 5
-rw-r-----    1 root     named        4313 Nov 26 21:14 named.conf
./log:
total 82
-rw-------    1 named    named       82667 Nov 26 22:14 named

./var:
total 2
lrwxrwxrwx    1 root     root            2 Nov 26 19:22 named -> ..
drwxr-x---    2 root     named        1024 Nov 26 21:57 run
drwxr-x---    2 named    named        1024 Nov 26 22:01 tmp

./var/run:
total 0
srw-------    1 root     root            0 Nov 26 21:57 ndc

./var/tmp:
total 1
-rw-r--r--    1 named    named           6 Nov 26 22:01 named.pid

Comment 1 Bernhard Rosenkraenzer 1999-11-30 14:26:59 UTC
Thanks, I'll see if it breaks anything. (By the way, I think you *can* use
syslog by just creating a [root]/dev/log)

Comment 2 Elliot Lee 2000-02-03 16:48:59 UTC
Information noted, and since this is documentation rather than a request to have
something fixed, closing.