BIND chroot jail on SolarisBIND 8 chroot jail Note: I recommend upgrading to the latest BIND 9 release to take advantage of BIND 9's security features and security-focused code rewrite. Thanks to Sean Boran for his "Installing BIND v8 chroot'ed on Solaris 7." Much of the information on this page was obtained from his installation guide. In this BIND chroot jail example on a Solaris 7 server, the named daemon is executed as the named user (UID 53, GID 53). The chroot jail is the /home/dns directory. This document assumes BIND is already installed with binaries in /usr/local, configuration files in /usr/local/etc, and DNS data in /var/dns. Upgrading your BIND chroot jail If you already have a BIND chroot jail configured, and want to upgrade to a new version of BIND, perform the following commands after running make install. These steps assume you installed BIND to the standard /usr/local directory tree. for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'` do cp $i /home/dns/usr/lib done cd /home/dns/usr/local/sbin (cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf - cd /home/dns/usr/local/bin (cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf - Restart BIND to enable the new version. Creating an initial BIND chroot jail To create a BIND chroot jail from scratch, perform the following steps: 1. Create named user and chroot jail. groupadd -g 53 named useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named mkdir -m 750 /home/named cd /home/named mkdir -p dev opt usr var etc var/run var/log var/dns usr/local usr/lib usr/share/lib/zoneinfo cp /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE etc 2. Copy libraries into chroot jail. for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'` /usr/local/sbin/named-xfer | awk '{print $3}'` do cp $i /home/named/usr/lib done cp /usr/lib/ld.so.1 /home/named/usr/lib 3. Create device files in the chrooted environment. cd /home/named/dev mknod tcp c 11 42 mknod udp c 11 41 mknod log c 21 5 mknod null c 13 2 mknod zero c 13 12 chgrp sys null zero mknod conslog c 21 0 mknod syscon c 0 0 chmod 620 syscon chgrp tty syscon chgrp sys conslog 4. Copy the timezone information into the chroot jail. Otherwise, BIND will use a GMT timestamp when sending messages to syslog. In this example, the TIMEZONE is US/Central. cd /home/named mkdir -p usr/share/lib/zoneinfo/US cp -p /usr/share/lib/zoneinfo/US/Central usr/share/lib/zoneinfo/US 5. Copy BIND to chroot jail and set appropriate permissions. cd /home/named mkdir -p usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc chmod 755 usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc cd /home/named/usr/local/sbin (cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf - cd /home/named/usr/local/bin (cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf - cd /home/named/usr/local cp /usr/local/etc/named.conf etc (cd /usr/local; tar cf - bind) | tar xvf - chown -R root:named * chmod 775 etc cd /home/named/var/ (cd /var/dns; tar cf - *) | tar xvf - cd /home/named chown -R root:named opt var chmod -R g-w var chmod -R o-rx . chmod g+w var/run var/log touch var/log/all.log var/run/named.pid chown named:named var/log/all.log var/run/named.pid find . -type f | xargs chmod ug-s 6. Start BIND. /usr/local/sbin/named -u 53 -g 53 -t /home/named Make sure to modify your BIND startup/shutdown script to execute BIND as a non-privileged user within the chroot jail. Compare your copy to the following /etc/init.d/named script. #!/bin/sh case $1 in 'start' ) /usr/local/sbin/named -u 53 -g 53 -t /home/named ;; 'stop' ) kill `ps -ef | grep named | grep -v grep | awk '{print $2}'` > /dev/null 2>&1 ;; *) echo "usage: $0 {start|stop}" esac Back to brandonhutchinson.com. Last modified: 05/14/2003