![[LWN Logo]](/images/lwn.banner.gif)
Date: Sat, 6 Jun 1998 12:53:47 -0400 (EDT) From: "Craig H. Rowland" <crowland@psionic.com> To: linux-security@redhat.com Subject: [linux-security] Paper: Running BIND in a chroot() protected environment. Hello, I traditionally have always run BIND in a chroot() environment and always recommend admins do the same because this program is rather complicated in it's functionality. This can provide a high degree of protection from a lot of nonsense that a person may wish to throw at you. To facilitate setting up BIND in a chroot() environment for other admins, I typed up a document last week to detail how to do it under OpenBSD (because that is what my SMTP/DNS/WWW servers run [no flames please]). Since I also use Linux for many applications and the majority of my development, I've done a quick re-write to apply the same information for RedHat Linux and what I suspect to be most variants. The documents only apply to version 8.1.x because I feel that people should migrate to this version. Also 8.1.x has a not-so-well-documented feature where you can tell it to run under a differenty UID/GID and chroot() to the directory after it initializes. These options are: -u <UID> -g <GID> -t <chroot dir> This means that named will be able to bind as root and then quickly drop privilege and contain operations to a safe directory free of pesky binaries such as /bin/sh. Much better than the default run-everything-as-root configuration. There are a few small hurdles to cross to get it to work under Linux, but nothing extraordinary. Please check out the documents here: http://www.psionic.com/papers/dns.html This document is largely based off of Adam Shostack's orginal paper that detailed setting up BIND under chroot() on Solaris. This document can be had from: http://www.homeport.org/~adam/dns.html PLEASE NOTE: I have limited experience running BIND under Linux in a chroot() fashion. The document expresses this and I'm encouraging people who have a problem in following the information to please write me directly so I can change/update. Full credit will be given to all suggestions used. I'll also be following this up with a document to describe how to run Apache under chroot(). Another thing that many sites should probably do. Thanks, -- Craig -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null