21.6. Run ISC BIND/DNS in a chroot jail

The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.

Important: The named binary program must be in a directory listed within your PATH environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program is /usr/sbin/named.

The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:

We must find the shared library dependencies of named, named is the DNS daemon. These will need to be copied into the chroot jail later.

  1. To find the shared library dependencies of named, execute the following command:
    
 [root@deep] /# ldd /usr/sbin/named
     libc.so.6 => /lib/libc.so.6 (0x40017000)
     /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) 
     

  2. Make a note of the files listed above; you will need these later in our steps.

Now we must set up the chroot environment, and create the root directory of the jail. We've chosen /chroot/named because we want to put this on its own separate file system to prevent file system attacks. Early in our Linux installation procedure we created a special partition /chroot for this purpose.

  1. 
     [root@deep] /# /etc/rc.d/init.d/named stop (1) 
     

    (1)
    Require only if an existing named daemon is running.
    
 Shutting down named:                              [  OK  ]
     
    
 [root@deep] /# mkdir -p /chroot/named
     

  2. Next, create the rest of directories as follows:
    
 [root@deep] /# mkdir /chroot/named/dev
     [root@deep] /# mkdir /chroot/named/lib
     [root@deep] /# mkdir /chroot/named/etc
     [root@deep] /# mkdir -p /chroot/named/usr/sbin
     [root@deep] /# mkdir -p /chroot/named/var/run
     [root@deep] /# mkdir /chroot/named/var/named
     

  3. Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory:
    
 [root@deep] /# cp /etc/named.conf /chroot/named/etc/
     [root@deep] /# cd /var/named ; cp -a . /chroot/named/var/named/
     [root@deep] /# mknod /chroot/named/dev/null c 1 3
     [root@deep] /# chmod 666 /chroot/named/dev/null
     [root@deep] /# cp /usr/sbin/named /chroot/named/usr/sbin/
     [root@deep] /# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/
     

    Important: The owner of the /chroot/named/var/named directory and all files in this directory must be the process name named under the slave server and only the slave server or you wouldn't be able to make a zone transfer.

  4. To make the named directory and all its files own by the named process name under the slave server, use the command:
    
 [root@deep] /# chown -R named.named /chroot/named/var/named/
     

Copy the shared libraries identified above to the chrooted lib directory:

 [root@deep] /# cp /lib/libc.so.6 /chroot/named/lib/
 [root@deep] /# cp /lib/ld-linux.so.2 /chroot/named/lib/
 

Copy the localtime and nsswitch.conf files to the chrooted etc directory so that log entries are adjusted for your local timezone properly:

 [root@deep] /# cp /etc/localtime /chroot/named/etc/
 [root@deep] /# cp /etc/nsswitch.conf /chroot/named/etc/
 

We must set some files under the /chroot/named/etc directory with the immutable bit enabled for better security:

  1. Set the immutable bit on nsswitch.conf file:
    
 [root@deep] /# cd /chroot/named/etc/
     [root@deep etc]# chattr  +i nsswitch.conf
     

  2. Set the immutable bit on named.conf file:
    
 [root@deep] /# cd /chroot/named/etc/
     [root@deep etc]# chattr  +i named.conf
     
    A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.

Add a new UID and a new GID for running the daemon named if this is not already set. This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources. Check the /etc/passwd and /etc/group files for a free UID/GID number available. In our example we'll use the number 53 and the name named.

 [root@deep] /#useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || :