chrooting bind

Brad Knowles brad.knowles at skynet.be
Wed Aug 15 22:31:11 UTC 2001


At 2:17 PM -0500 8/15/01, Christopher L. Barnard wrote:

>  Because using named's built in -t flag means that the daemon starts in a
>  non-chrooted setup, and then once it is going it looks to the chrooted area
>  for the zone files, etc.  By starting the daemon already in the 
>chrooted jail,
>  if someone by some preposterous chance is able to break in through the name
>  daemon itself, there is No Way (tm) he or she could see the rest of the
>  system.

	I hate to burst your bubble, but it is not particularly hard to 
break out of any chroot() jail, regardless of whether it was one that 
BIND created after setting up the things it needs, or one you set up 
before you started BIND.  Indeed, FreeBSD has a feature called jail() 
that is far more robust than chroot(), and even jail() isn't 
foolproof.

	Your only exposure with allowing BIND to perform the chroot() 
call is during the startup phase, and the BIND executable should be 
outside of the chroot() jail, so they should be unlikely to be able 
to make any modifications to the binary that would cause additional 
weakness during this startup period.

>  Yes, I am being overly, excessively, and absurdly cautious.

	IMO, you are doing this for no measurable benefit.  However, if 
you still want to, you're certainly welcome to do so.

	That said, I will observe that if you choose to use mechanisms 
other than the ones suggested by the BIND documentation, that you 
will be largely out on your own and are unlikely to be able to get 
much in the way of help from anyone else.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA


More information about the bind-users mailing list