Bug 7398 - Run named chroot and non-root
Run named chroot and non-root
Status: CLOSED WORKSFORME
Product: Red Hat Linux
Classification: Retired
Component: bind (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-28 15:19 EST by Ash
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-03 11:48:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ash 1999-11-28 15:19:20 EST
After having recently had to clean up a system that lost root unecissirally
I have the following howto to offer on how to set up named to run as
non-root and chroot'ed so as to minimise the damage the next time we find a
security hole in it.

HOWTO from dszd0g@dragonpaw.org.

1) % make depend

2) edit src/.settings
   Add -static to CC so that it reads: 'CC=gcc -static -D_GNU_SOURCE'

3) edit src/bin/ndc/pathnames.h
   Modify all your pathnames for your chrooted environment and to pass the
   args to named pathnames.h attached.

4) Get it to compile
   % make all
   This will probably change with versions.  I had to edit a couple
   Makefiles and remove -ll from the SYSDEPS line, and for some reason
   some of the Makefiles had SYSTYPE set to bsdos instead of linux.
   After that it compiled fine.

5) Modify named.conf for chrooted environment.
   You will not be able to use syslog since it will no longer
   have access to /dev/log.

logging {
  channel logfile {

    /*
    write to named.log in the working directory
    Note: stderr is used instead of "named.log"
    if the server is started with the -f option.  */
    file "/var/named/log/named" size 50M;
    // Limit maximum size to 50MB, no DoS

    // severity dynamic; // log at the server's current debug level
    severity info; // log info or higher
    print-time yes;
    print-category yes;
  };

  channel default_debug {
    // write to named.run in the working directory
    file "/var/named/log/named.run";
    // Note: stderr is used instead of "named.run"
    // if the server is started with the -f option.
    severity dynamic; // log at the server's current debug level
  };

  category default { logfile; };
  category config { logfile; };
  category parser { null; };
  category queries { logfile; };
  category lame-servers { null; };
  category statistics { logfile; };
  category panic { logfile; default_stderr; };
  category update { logfile; };
  category ncache { logfile; };
  category xfer-in { logfile; };
  category xfer-out { logfile; };
  category db { logfile; };
  category eventlib { logfile; };
  category packet { logfile; };
  category notify { logfile; };
  category cname { logfile; };
  category security { logfile; };
  category os { logfile; };
  category insist { logfile; };
  category maintenance { logfile; };
  category load { logfile; };
  category response-checks { logfile; };
};


options {
  directory "/var/named";
  named-xfer "/var/named/bin/named-xfer";
  dump-file "/var/named/tmp/named_dump.db";
  pid-file "/var/named/tmp/named.pid";
  statistics-file "/var/named/log/named.stats";
  memstatistics-file "/var/named/log/named.memstats";
};

6) Create everything necessary in /var/named hierarcy:

.:
total 42
drwxr-xr-x    2 root     root         1024 Nov 26 20:55 bin
[ db files ]
drwxr-xr-x    2 root     root         1024 Nov 26 19:21 dev
drwxr-xr-x    2 root     root         1024 Nov 26 21:14 etc
drwxr-x---    2 named    named        1024 Nov 26 19:55 log
lrwxrwxrwx    1 root     root            7 Nov 26 21:05 tmp -> var/tmp
drwxr-xr-x    4 root     root         1024 Nov 26 21:56 var


./bin:
total 4909
-r-xr-xr-x    1 root     root      2840700 Nov 26 20:55 named
-r-xr-xr-x    1 root     root      2162458 Nov 26 20:55 named-xfer

./dev:
total 0
crw-rw-rw-    1 root     root       1,   3 Nov 26 19:21 null

./etc:
total 5
-rw-r-----    1 root     named        4313 Nov 26 21:14 named.conf
./log:
total 82
-rw-------    1 named    named       82667 Nov 26 22:14 named

./var:
total 2
lrwxrwxrwx    1 root     root            2 Nov 26 19:22 named -> ..
drwxr-x---    2 root     named        1024 Nov 26 21:57 run
drwxr-x---    2 named    named        1024 Nov 26 22:01 tmp

./var/run:
total 0
srw-------    1 root     root            0 Nov 26 21:57 ndc

./var/tmp:
total 1
-rw-r--r--    1 named    named           6 Nov 26 22:01 named.pid
Comment 1 Bernhard Rosenkraenzer 1999-11-30 09:26:59 EST
Thanks, I'll see if it breaks anything. (By the way, I think you *can* use
syslog by just creating a [root]/dev/log)
Comment 2 Elliot Lee 2000-02-03 11:48:59 EST
Information noted, and since this is documentation rather than a request to have
something fixed, closing.

Note You need to log in before you can comment on or make changes to this bug.