Embedded Files
Since bind DNS server is public accessible, you would want to jail its user, making sure that when bind is compromised, it can't reach root system and compromise the entire OS. This section guides you on how to jail bind using chroot.
Change Bind User Settings (Owner)
Change Bind User Settings (Owner)
The first thing to do is to change the user owner into its own group and data. This will ensure the daemon is not operating as root but its own user-space.
Create Usergroup and User
Create Usergroup and User
The first thing to do is to create the system-level user.
$ TARGETUSER="binder"$ addgroup "$TARGETUSER"$ adduser --system \ --home /home/"$TARGETUSER" \ --no-create-home \ --ingroup "$TARGETUSER" \ --disabled-password \ --disabled-login "$TARGETUSER"Update /etc/init.d/bind
Update /etc/init.d/bind
Next is to update the bind initialize script in /etc/init.d/bind from:
start-stop-daemon --startto:
start-stop-daemon --start --quiet --exec /usr/sbin/binder -- -g binder -u binderChange File Permissions and Work Location
Change File Permissions and Work Location
Lastly, change the credential files permission to that user using:
$ mkdir -p /var/run/binder$ chown binder:binder /etc/bind/rndc.key$ chown binder:binder /var/run/binderUpdate /etc/named.conf
Update /etc/named.conf
Add new pid path with the created location:
options { ... pid-file "/var/run/binder/binder.pid";};Update /etc/init.d/bind reload and restart commands
Update /etc/init.d/bind reload and restart commands
Lastly, you need to check if the init script restart and reload are updated not to use root account. They should reflect as follows:
reload) $0 stop sleep 1 $0 startChroot Jailing the Owner
Chroot Jailing the Owner
To achieve maximum jailing, chrooting is needed to ensure the system is fully jailed.
List of Dependencies
List of Dependencies
You need to chroot accordingly to jail the owner. Among the dependencies are:
dev/nulletc/bind/ - should hold named.conf and all the server zonessbin/binder-xfer - if you do name transfersvar/run/binder/ - should hold the PID and the name server cache (if any) this directory needs to be writable by named uservar/log/binder - if you set up logging to a file, needs to be writable for the named userdev/log - syslogd should be listening here if named is configured to log through itetc/bind/named.conf etc/localtimeetc/group - with only a single line: "named:x:GID:"etc/ld.so.cache - generated with ldconfig lib/ld-2.3.6.solib/libc-2.3.6.solib/ld-linux.so.2 - symlinked to ld-2.3.6.solib/libc.so.6 - symlinked to libc-2.3.6.sosbin/ldconfig - may be deleted after setting up the chrootvar/run/That's all for jailing bind using chroot
Page updated
Google Sites
Report abuse