Since bind
DNS server is public accessible, you would want to jail its user, making sure that when bind is compromised, it can't reach root system and compromise the entire OS. This section guides you on how to jail bind using chroot.
The first thing to do is to change the user owner into its own group and data. This will ensure the daemon is not operating as root but its own user-space.
The first thing to do is to create the system-level user.
$ TARGETUSER="binder"
$ addgroup "$TARGETUSER"
$ adduser --system \
--home /home/"$TARGETUSER" \
--no-create-home \
--ingroup "$TARGETUSER" \
--disabled-password \
--disabled-login "$TARGETUSER"
Next is to update the bind initialize script in /etc/init.d/bind
from:
start-stop-daemon --start
to:
start-stop-daemon --start --quiet --exec /usr/sbin/binder -- -g binder -u binder
Lastly, change the credential files permission to that user using:
$ mkdir -p /var/run/binder
$ chown binder:binder /etc/bind/rndc.key
$ chown binder:binder /var/run/binder
Add new pid path with the created location:
options {
...
pid-file "/var/run/binder/binder.pid";
};
Lastly, you need to check if the init script restart and reload are updated not to use root account. They should reflect as follows:
reload)
$0 stop
sleep 1
$0 start
To achieve maximum jailing, chrooting is needed to ensure the system is fully jailed.
You need to chroot accordingly to jail the owner. Among the dependencies are:
dev/null
etc/bind/ - should hold named.conf and all the server zones
sbin/binder-xfer - if you do name transfers
var/run/binder/ - should hold the PID and the name server cache (if any) this directory needs to be writable by named user
var/log/binder - if you set up logging to a file, needs to be writable for the named user
dev/log - syslogd should be listening here if named is configured to log through it
etc/bind/named.conf
etc/localtime
etc/group - with only a single line: "named:x:GID:"
etc/ld.so.cache - generated with ldconfig
lib/ld-2.3.6.so
lib/libc-2.3.6.so
lib/ld-linux.so.2 - symlinked to ld-2.3.6.so
lib/libc.so.6 - symlinked to libc-2.3.6.so
sbin/ldconfig - may be deleted after setting up the chroot
var/run/
That's all for jailing bind using chroot