[ale] chroot-ed bind

Jonathan Rickman infosec at alltel.net
Wed Mar 28 20:51:41 EST 2001


On Wed, 28 Mar 2001, David Corbin wrote:

> I run a debian system (well, OK several).  I'm trying to harden the
> systems a little more, and now I'm working on bind.  If I reconfigure it
> to run "chroot-ed"...
>
> 	1) what files/directories are really required?

First run, ldd /usr/sbin/named or whatever your path is. Make a note of
the output. Everything else is common sense.

Make your filesystem...I.E.
/chroot/bind
/chroot/bind/dev
/chroot/bind/lib
/chroot/bind/etc
/chroot/bind/usr/sbin
/chroot/bind/var/named

or whatever you prefer...

Then put this stuff there...

/etc/named.conf
everything in /var/named
/etc/localtime
/etc/nsswitch.conf
mknod /chroot/bind/dev/null c 1 3
chmod 666 /chroot/bind/dev/null
/usr/sbin/named
/usr/sbin/named-xfer
the library files from above go in the lib directory...duh
chown -R named.named /chroot/bind/var/named/
chattr +i /chroot/bind/etc/named.conf
chattr +i /chroot/bind/etc/nsswitch.conf

Then fix up the syslog via startup scripts...no clue about deb specific
stuff.

> 2) is there a standard place in the filesystem to put "chroot-ed"
> filesystems?

I prefer to use /chroot, on a seperate disk if possible.


> 3) would it be a very bad idea to create the chroot-ed system by
>having hard-links to the "same" files/directories in the real file
>system?

Terrible


>4) any other warnings/suggestions or caveats?

Nope, it's very simple. I just can't understand why more admins don't
consider it.

Oh yeah...I almost forgot.

Get Slack.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net



--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list