Home | Comics | Gallery | (Amazon| ThinkGeek) wishlist | Donations | Impressum | The Book of Postfix | Postfix - Einrichtung, Betrieb und Wartung | Blog

Running named 8.x and 9.x in a chroot (2) Environment on HP-UX 9.x, 10.x and 11.x

Brief History

The first "DNS" system, JEEVES, was written by Paul Mockapetris in 1983. It replaced the non-scaling hosts.txt file. In the early eighties, the Berkeley Internet Name Daemon (BIND) -- some call it bugg internaet name daemon -- was first created at the University of California at Berkeley in response to a government (DARPA) grant. It was maintained for some time at Berkeley and later became software maintained by DEC when Kevin Dunlap, an employee of DEC, worked at Berkeley. Later, Paul Vixie assumed the role of maintainer, and has recently announced that his role in maintaining BIND will cease with version 8.
Version 9.2.2 has been released recently.
Since 1997, CERT has published many documents describing various exploits and vulnerabilities with BIND.
ISC's BIND pages

Summary

Many people are running named on their hosts. named typically runs as root, and is a high value target.
The "Holy Grail" of hacking is the root compromise. If hackers are able to obtain "root" on a system, they are able to have complete control over the victimized system as well as potential access to other systems that have trusted relationships with the compromised system.
This page details a methodology for increasing security by running BIND-8.x and BIND-9.x in a chroot (2) environment on HP-UX 10.x and 9.x.
Since the advent of BIND-8.x the administrator doesn't have to manually chroot the named process by means of the chroot command, but can use the command-line option -t /directory/to/chroot/to/.

Security discussion

The biggest problem with named is that it was not designed for security (this has changed a little bit with BIND-9.x, which has been rewritten from scratch):

• CA-98.05.bind_problems
• CA-99-14-bind
• CA-2000-20
• CA-2000-03
• CA-2001-02
• CA-2002-19

Fortunately we can minimize the risk by running it as an unprivileged user in a chroot-jail.
There have been many discussions on the value of using the chroot mechanism and methods of breaking out of the filesystem -- even when the process does NOT have root privilege.
However, I feel that any mechanism that raises the barrier is helpful.
Needless to say that HP doesn't provide BIND-8.3.4 or BIND-9.2.2 for HP-UX 10.x -- only the deprecated BIND-4.9.7, and this even though 8.3.x and 9.2.x compile cleanly out of the box: They're are a bit behind the times...

Methodology

Step 0. Build BIND

You need an ANSI C capable compiler, e.g. gcc or the $$$ ANSI C compiler from HP.

• Download the source from http://www.isc.org/
• Verify the PGP signature using PGP or GNUpg.
• Unpack the archive using gunzip and tar
• ./configure --disable-threads --with-libtool
• make
• make install

If your HP-UX has threads, omit --disable-threads.

Step 1. Create an unprivileged user

Create an unprivileged user named and a group named it belongs to. Don't use an existing group or user!
For testing you can try chrooting named while still running as user root -- this makes it easier to spot whether an error is due to use of chroot or the change of running under the rights of an unprivileged user.

Step 2. Create the chroot filesystem and copy the files

Create the following directories (note the ownership and file permissions). Either do this by hand or go fetch Postfix (a sendmail replacement), which has examples/chroot-setup/HPUX in it's archive -- a script which sets up a chroot-jail for you (under /var/spool/postfix, you might need to change the script a little :)

While you're at it, please consider looking at Postfix.

drwxr-xr-x   6 root       sys           1024 Feb 26 12:10 /named-jail

named-jail:
drwxr-xr-x   2 root       sys           1024 Feb 25 13:09 dev
drwxr-xr-x   2 root       sys           1024 Feb 25 13:11 etc
drwxr-xr-x   4 root       sys           1024 Feb 26 12:10 usr
drwxr-xr-x   4 root       sys           1024 Feb 16 16:16 var

dev:
crw-rw-rw-   1 root       sys          3 0x000002 Feb 26 13:23 null

Create dev/null using mknod:

% mknod /named-jail/dev/null c 3 2

etc:
-rw-r--r--   1 root       sys             16 Feb 25 13:11 group

group is a copy of /etc/group that only contains a single entry -- the one for named.

-rw-r--r--   1 root       sys           4762 Feb 24 16:48 named.conf

usr:
drwxr-xr-x   2 root       sys           1024 Feb 16 16:19 sbin

   sbin:
   -rwxr-xr-x   1 root       sys         667684 Feb 25 13:42 named
   -rwxr-xr-x   1 root       sys         389152 Feb 25 13:42 named-xfer

These are the binaries copied into the jail. named-xfer is needed for zone transfers. With BIND-9.x, named-xfer doesn't exist any more, so you need not copy it.
Since named-xfer is invoked by named while already being in the jail, we must have some libraries in the jail.
On HP-UX you can use chatr ./named-xfer to find out which libraries are needed by named-xfer:

shared library list:
    dynamic   /usr/lib/libl.1
    dynamic   /usr/lib/libc.1

Besides these two we also need /usr/lib/dld.1 (since chatr /usr/lib/libc.1 tells us so; so you need to copy -p the following from /usr/lib/:

   lib:
   -r-xr-xr-x   1 bin        bin         114688 Feb  4  1999 dld.sl
   -r-xr-xr-x   1 bin        bin        1863680 Apr 11 19:19 libc.1
   lrwxr-x---   1 root       sys              6 Apr 11 19:43 libc.sl -> libc.1
   -r-xr-xr-x   1 bin        bin          12288 Feb  4  1999 libdld.1
   lrwxr-x---   1 root       sys              8 Apr 11 19:43 libdld.sl -> libdld.1
   -r-xr-xr-x   1 bin        bin          16384 Apr 11 19:19 libl.1
   lrwxr-x---   1 root       sys              6 Apr 11 19:42 libl.sl -> libl.1

var:
drwxr-xr-x   4 named      named         1024 Feb 25 13:10 named
drwxr-xr-x   2 named      named         1024 Feb 26 12:19 run

   named:
   drwxr-xr-x   2 root       sys           1024 Feb 24 18:26 master
   drwxr-xr-x   2 named      named         1024 Feb 26 11:44 slave
   (contain the zone files)

Since named runs as root before going to chroot-jail, there is no need to copy libraries into the chroot-jail.

Step 3. syslog

If you want all messages to go to what /etc/syslog.conf defines, you can start another syslogd process which uses a different named pipe which is in the /named-jail chroot filesystem. You can use the undocumented -p option to do this:

% syslogd -p /named-jail/dev/log

Don't forget to start this one at boottime, otherwise you'll see no messages!

Step 4. Operation

To start named chroot'd:

% ndc -c /named-jail/var/run/ndc start -t /named-jail/ -u named

To control named (BIND-8.2.3) using ndc:

% ndc -c /named-jail/var/run/ndc

To control named (BIND-9.1.1) using rndc:

% rndc

For rndc to work, you need to set up /etc/rndc.conf and /etc/named.conf correctly.

References

• local discussion
• see: BID (Bugtraq ID) 933 at http://www.securityfocus.com
  
• DNS and Bind, O'Reilly Books
  
• RFC 819
  
• A Brief History of BIND
  
• Hacking Exposed: Network Security Secrets and Solutions

© by Ralf Hildebrandt This document contains links to external information sources that I do neither monitor nor control. I explicitly disclaim any liabilities in respect to external references. You are getting this document without any guarantees. Any methods shown above are meant as demonstration and may be wrong in some place. You may damage your system if you try to follow my hints and instructions. You do this at your own risk!

This file was last modified 07. Jul 2008 by root