[ale] chroot-ed bind
Jonathan Rickman
infosec at alltel.net
Wed Mar 28 20:51:41 EST 2001
On Wed, 28 Mar 2001, David Corbin wrote:
> I run a debian system (well, OK several). I'm trying to harden the
> systems a little more, and now I'm working on bind. If I reconfigure it
> to run "chroot-ed"...
>
> 1) what files/directories are really required?
First run, ldd /usr/sbin/named or whatever your path is. Make a note of
the output. Everything else is common sense.
Make your filesystem...I.E.
/chroot/bind
/chroot/bind/dev
/chroot/bind/lib
/chroot/bind/etc
/chroot/bind/usr/sbin
/chroot/bind/var/named
or whatever you prefer...
Then put this stuff there...
/etc/named.conf
everything in /var/named
/etc/localtime
/etc/nsswitch.conf
mknod /chroot/bind/dev/null c 1 3
chmod 666 /chroot/bind/dev/null
/usr/sbin/named
/usr/sbin/named-xfer
the library files from above go in the lib directory...duh
chown -R named.named /chroot/bind/var/named/
chattr +i /chroot/bind/etc/named.conf
chattr +i /chroot/bind/etc/nsswitch.conf
Then fix up the syslog via startup scripts...no clue about deb specific
stuff.
> 2) is there a standard place in the filesystem to put "chroot-ed"
> filesystems?
I prefer to use /chroot, on a seperate disk if possible.
> 3) would it be a very bad idea to create the chroot-ed system by
>having hard-links to the "same" files/directories in the real file
>system?
Terrible
>4) any other warnings/suggestions or caveats?
Nope, it's very simple. I just can't understand why more admins don't
consider it.
Oh yeah...I almost forgot.
Get Slack.
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list