Home | Comics | wishlist | Impressum | Datenschutzerklärung | 126.96.36.199
The first "DNS" system, JEEVES, was written by Paul Mockapetris in
1983. It replaced the non-scaling hosts.txt file. In the early eighties, the Berkeley
Internet Name Daemon (BIND) -- some call it bugg
internaet name daemon -- was first created at the University of
California at Berkeley in response to a government (DARPA) grant. It
was maintained for some time at Berkeley and later became software
maintained by DEC when Kevin Dunlap, an employee of DEC, worked at
Berkeley. Later, Paul Vixie assumed the role of maintainer, and has
recently announced that his role in maintaining BIND will cease with version 8.
Version 9.2.2 has been released recently.
Since 1997, CERT has published many documents describing various exploits and vulnerabilities with BIND.
ISC's BIND pages
Many people are running named
on their hosts. named typically runs as root, and is a
high value target.
The "Holy Grail" of hacking is the root compromise. If hackers are able to obtain "root" on a system, they are able to have complete control over the victimized system as well as potential access to other systems that have trusted relationships with the compromised system.
This page details a methodology for increasing security by running BIND-8.x and BIND-9.x in a chroot (2) environment on HP-UX 10.x and 9.x.
Since the advent of BIND-8.x the administrator doesn't have to manually chroot the named process by means of the chroot command, but can use the command-line option -t /directory/to/chroot/to/.
The biggest problem with named is that it was not designed for security (this has changed a little bit with BIND-9.x, which has been rewritten from scratch):
Fortunately we can minimize the risk by running it as an unprivileged user
in a chroot-jail.
There have been many discussions on the value of using the chroot mechanism and methods of breaking out of the filesystem -- even when the process does NOT have root privilege.
However, I feel that any mechanism that raises the barrier is helpful.
Needless to say that HP doesn't provide BIND-8.3.4 or BIND-9.2.2 for HP-UX 10.x -- only the deprecated BIND-4.9.7, and this even though 8.3.x and 9.2.x compile cleanly out of the box: They're are a bit behind the times...
You need an ANSI C capable compiler, e.g. gcc or the $$$ ANSI C compiler from HP.
If your HP-UX has threads, omit --disable-threads.
Create an unprivileged user named and a group named it
belongs to. Don't use an existing group or user!
For testing you can try chrooting named while still running as user root -- this makes it easier to spot whether an error is due to use of chroot or the change of running under the rights of an unprivileged user.
Create the following directories (note the ownership and file permissions). Either do this by hand or go fetch Postfix (a sendmail replacement), which has examples/chroot-setup/HPUX in it's archive -- a script which sets up a chroot-jail for you (under /var/spool/postfix, you might need to change the script a little :)
While you're at it, please consider looking at Postfix.
drwxr-xr-x 6 root sys 1024 Feb 26 12:10 /named-jail named-jail: drwxr-xr-x 2 root sys 1024 Feb 25 13:09 dev drwxr-xr-x 2 root sys 1024 Feb 25 13:11 etc drwxr-xr-x 4 root sys 1024 Feb 26 12:10 usr drwxr-xr-x 4 root sys 1024 Feb 16 16:16 var dev: crw-rw-rw- 1 root sys 3 0x000002 Feb 26 13:23 null
Create dev/null using mknod:
% mknod /named-jail/dev/null c 3 2 etc: -rw-r--r-- 1 root sys 16 Feb 25 13:11 group
group is a copy of /etc/group that only contains a single entry -- the one for named.
-rw-r--r-- 1 root sys 4762 Feb 24 16:48 named.conf usr: drwxr-xr-x 2 root sys 1024 Feb 16 16:19 sbin sbin: -rwxr-xr-x 1 root sys 667684 Feb 25 13:42 named -rwxr-xr-x 1 root sys 389152 Feb 25 13:42 named-xfer
These are the binaries copied into the jail. named-xfer is needed
for zone transfers. With BIND-9.x, named-xfer doesn't exist any
more, so you need not copy it.
Since named-xfer is invoked by named while already being in the jail, we must have some libraries in the jail.
On HP-UX you can use chatr ./named-xfer to find out which libraries are needed by named-xfer:
shared library list: dynamic /usr/lib/libl.1 dynamic /usr/lib/libc.1
Besides these two we also need /usr/lib/dld.1 (since chatr /usr/lib/libc.1 tells us so; so you need to copy -p the following from /usr/lib/:
lib: -r-xr-xr-x 1 bin bin 114688 Feb 4 1999 dld.sl -r-xr-xr-x 1 bin bin 1863680 Apr 11 19:19 libc.1 lrwxr-x--- 1 root sys 6 Apr 11 19:43 libc.sl -> libc.1 -r-xr-xr-x 1 bin bin 12288 Feb 4 1999 libdld.1 lrwxr-x--- 1 root sys 8 Apr 11 19:43 libdld.sl -> libdld.1 -r-xr-xr-x 1 bin bin 16384 Apr 11 19:19 libl.1 lrwxr-x--- 1 root sys 6 Apr 11 19:42 libl.sl -> libl.1 var: drwxr-xr-x 4 named named 1024 Feb 25 13:10 named drwxr-xr-x 2 named named 1024 Feb 26 12:19 run named: drwxr-xr-x 2 root sys 1024 Feb 24 18:26 master drwxr-xr-x 2 named named 1024 Feb 26 11:44 slave (contain the zone files)
Since named runs as root before going to chroot-jail, there is no need to copy libraries into the chroot-jail.
If you want all messages to go to what /etc/syslog.conf defines, you can start another syslogd process which uses a different named pipe which is in the /named-jail chroot filesystem. You can use the undocumented -p option to do this:
% syslogd -p /named-jail/dev/log
Don't forget to start this one at boottime, otherwise you'll see no messages!
To start named chroot'd:
% ndc -c /named-jail/var/run/ndc start -t /named-jail/ -u named
To control named (BIND-8.2.3) using ndc:
% ndc -c /named-jail/var/run/ndc
To control named (BIND-9.1.1) using rndc:
For rndc to work, you need to set up /etc/rndc.conf and /etc/named.conf correctly.
© by Ralf Hildebrandt
This document contains links to external information sources that I do neither monitor nor control. I explicitly disclaim any liabilities in respect to external references.
You are getting this document without any guarantees. Any methods shown above are meant as demonstration and may be wrong in some place. You may damage your system if you try to follow my hints and instructions. You do this at your own risk!
This file was last modified 07. Jul 2008 by root