Is chroot really necessary?

Johan Nordin ray at nordin.st
Fri May 18 15:47:40 UTC 2001 

1.  make a named user without a shell and no write access to the "system"
first.
for the paranoid
2. chroot your system with that user

Without step one done correctly step two is irrelevant, as always this kind
of comments can be a source of a large discussion :)

// Johan

----- Original Message -----
From: "Brad Knowles" <brad.knowles at skynet.be>
To: "Bush, Stephen" <Stephen.Bush at domainnames.com>; <bind-users at isc.org>
Sent: Thursday, May 17, 2001 5:35 PM
Subject: Re: Is chroot really necessary?


>
> At 4:16 PM +0100 5/17/01, Bush, Stephen wrote:
>
> >  I've been trying to get bind working correctly in a chrooted
environment and
> >  tried just about every way, from the simple to the insane!  Does anyone
> >  think it is absolutely essential to run bind chrooted, or is this a
> >  technique directed to the Unix past rather than the present?  My dns
servers
> >  are dedicated to doing that - no other web services are running.
>
> No, it's not strictly necessary.  However, there are always more
> and more ingenious attacks being devised and directed against
> machines these days, and any server running as root is a potentially
> easy path towards compromising the whole machine -- especially if
> "rootkits" are developed and handed over to the "skript kiddies".
>
> In that case, a single person could compromise the security of
> hundreds, thousands, tens of thousands, hundreds of thousands, or
> possibly even millions of machines all around the world, in just a
> few seconds, and with the push of a single button.  Trust me, you do
> not want to be in this kind of situation.
>
>
> Therefore, although BIND version 9 is much more secure than
> previous major releases, and every possible effort is taken to try to
> ensure that the program cannot be compromised, it is still a good
> idea to run the program in a chroot() environment, as an added layer
> of security.
>
> It may still be possible for the attacker to break out of a
> chroot() environment, but this tends to be more difficult and require
> a level of expertise that "skript kiddies" do not tend to have, and
> is difficult to program into a "rootkit".
>
> --
> Brad Knowles, <brad.knowles at skynet.be>
>
> /*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
> /*       Represented as 1045 digit prime number by Phil Carmody         */
> /*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
> /*                                                                      */
> /*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
> /*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */
>
> dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
>
>

More information about the bind-users mailing list