Red Hat Bugzilla – Bug 7398
Run named chroot and non-root
Last modified: 2008-05-01 11:37:53 EDT
After having recently had to clean up a system that lost root unecissirally I have the following howto to offer on how to set up named to run as non-root and chroot'ed so as to minimise the damage the next time we find a security hole in it. HOWTO from dszd0g@dragonpaw.org. 1) % make depend 2) edit src/.settings Add -static to CC so that it reads: 'CC=gcc -static -D_GNU_SOURCE' 3) edit src/bin/ndc/pathnames.h Modify all your pathnames for your chrooted environment and to pass the args to named pathnames.h attached. 4) Get it to compile % make all This will probably change with versions. I had to edit a couple Makefiles and remove -ll from the SYSDEPS line, and for some reason some of the Makefiles had SYSTYPE set to bsdos instead of linux. After that it compiled fine. 5) Modify named.conf for chrooted environment. You will not be able to use syslog since it will no longer have access to /dev/log. logging { channel logfile { /* write to named.log in the working directory Note: stderr is used instead of "named.log" if the server is started with the -f option. */ file "/var/named/log/named" size 50M; // Limit maximum size to 50MB, no DoS // severity dynamic; // log at the server's current debug level severity info; // log info or higher print-time yes; print-category yes; }; channel default_debug { // write to named.run in the working directory file "/var/named/log/named.run"; // Note: stderr is used instead of "named.run" // if the server is started with the -f option. severity dynamic; // log at the server's current debug level }; category default { logfile; }; category config { logfile; }; category parser { null; }; category queries { logfile; }; category lame-servers { null; }; category statistics { logfile; }; category panic { logfile; default_stderr; }; category update { logfile; }; category ncache { logfile; }; category xfer-in { logfile; }; category xfer-out { logfile; }; category db { logfile; }; category eventlib { logfile; }; category packet { logfile; }; category notify { logfile; }; category cname { logfile; }; category security { logfile; }; category os { logfile; }; category insist { logfile; }; category maintenance { logfile; }; category load { logfile; }; category response-checks { logfile; }; }; options { directory "/var/named"; named-xfer "/var/named/bin/named-xfer"; dump-file "/var/named/tmp/named_dump.db"; pid-file "/var/named/tmp/named.pid"; statistics-file "/var/named/log/named.stats"; memstatistics-file "/var/named/log/named.memstats"; }; 6) Create everything necessary in /var/named hierarcy: .: total 42 drwxr-xr-x 2 root root 1024 Nov 26 20:55 bin [ db files ] drwxr-xr-x 2 root root 1024 Nov 26 19:21 dev drwxr-xr-x 2 root root 1024 Nov 26 21:14 etc drwxr-x--- 2 named named 1024 Nov 26 19:55 log lrwxrwxrwx 1 root root 7 Nov 26 21:05 tmp -> var/tmp drwxr-xr-x 4 root root 1024 Nov 26 21:56 var ./bin: total 4909 -r-xr-xr-x 1 root root 2840700 Nov 26 20:55 named -r-xr-xr-x 1 root root 2162458 Nov 26 20:55 named-xfer ./dev: total 0 crw-rw-rw- 1 root root 1, 3 Nov 26 19:21 null ./etc: total 5 -rw-r----- 1 root named 4313 Nov 26 21:14 named.conf ./log: total 82 -rw------- 1 named named 82667 Nov 26 22:14 named ./var: total 2 lrwxrwxrwx 1 root root 2 Nov 26 19:22 named -> .. drwxr-x--- 2 root named 1024 Nov 26 21:57 run drwxr-x--- 2 named named 1024 Nov 26 22:01 tmp ./var/run: total 0 srw------- 1 root root 0 Nov 26 21:57 ndc ./var/tmp: total 1 -rw-r--r-- 1 named named 6 Nov 26 22:01 named.pid
Thanks, I'll see if it breaks anything. (By the way, I think you *can* use syslog by just creating a [root]/dev/log)
Information noted, and since this is documentation rather than a request to have something fixed, closing.