Solaris DNS : chroot the BIND DNS server
The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user. This should be considered as a supplement to the normal security precautions (running the latest version, using access control, etc.), certainly not as a replacement for them.
The process described below prevents access to the “/” (root) directory if BIND is hacked. It is possible with BIND version 8 or above, and is supported on Solaris 8 or above.
1. Create the user who will be running BIND. Don’t run BIND as root.
useradd -g nobody -s /usr/bin/false dnsguy
2. Create chroot directory and set permissions:
mkdir -p /chroot/etc /chroot/var /chroot/var/run
chown dnsguy /chroot/var/run
chgrp nobody /chroot/var/run
3. Move zone and named.conf files over:
mv /etc/named.conf /chroot/etc
mv /var/named /chroot/var/named
4. Copy some more /etc/ files over:
cp /etc/TIMEZONE /etc/profile /chroot/etc
5. Start in.named:
/usr/sbin/in.named -u dnsguy -t /chroot
1 Response
[…] Read – chroot the BIND DNS server […]