Thursday, August 25, 2005

About this Blog

This site was created after helping numerous people over the years with similar issues. Starting with locking down the os of systems ,webserver issues like Apache or Sun One , application server issues such as WebSphere and Coldfusion to application security related issues. Penetration testing, stress testing, finding application bugs.. I hope it all to be here and more!


Read more!

Posted by Michael Johnson at 2:17 AM |

Chroot Bind 9 How to - FreeBSD


This document describes installing the BIND 9 nameserver to run in a
chroot jail and as a non-root user, to provide added security and minimise the potential effects of a security compromise. This is for Bind 9 only and freebsd.





Michael Johnson

V1.1 May 4, 2002


Credits:


  • Most people put this at the end but a lot of people don’t make it that far so I am putting them at the beginngin.

  • Most of this document was based off of Scott Wunsch’s chroot how-to but I found a lot of things missing. You can find his

    how to with a bit more detail at: http://www.losurs.org/docs/howto/Chroot-BIND.html

  • Rich Mirch Looking over my setup and commenting security and configureation.




1. Introduction


This is the Chroot-BIND HOWTO for freebsd. It is assumed that you already know how to configure and use BIND (the Berkeley

Internet Name Domain). If not, please go read the DNS HOWTO and get a good understanding on DNS.


1.1 Latest version


The latest version of this can be found at http://www.setuid.us/HowTo/Chroot-Bind-Howto.html


1.2 System


The following worked on my system which is FreeBSD 4.4-stable one with intel chipset and one with cyrix chipset. It also worked on

FreeBSD 4.5-stable with smp. I hope you have as much luck as I do.


1.3 Disclaimer


The contents of this document worked for myself on the systems mentioned above. I have seen a number of different setups that

work equals as well. This is just how I decided on doing it. I have only installed bind on BSD/Solaris but with slight modifications it

should be portable across the different flavors of UNIX… sometimes those slight modifications are the ones that you can’t figure out

why its not working! If you have any comments/updates please send I will update this document in a timely manner.


2 Pre-Install
2.1 Create Non-root User


Create the user you want bind to run as. I used named. This should create a named group as well.



FreeBSD

pw user add named –s /sbin/nologin –d /usr/local/named –c “Bind User”

2.2 Create Directory Structure


I like to keep everything under /usr/local/ so mine is as follows:

/usr/local/

+-- named

      +--dev

      +-- etc

      |      +--namedb

      |      +--slave

      +--var

      +--run


Note:other directories will be created with the configure /make


FreeBSD

mkdir –p /usr/local/named
cd /usr/local/named
mkdir –p dev etc/namedb/slave var/run


2.3 Configure/Make/Install bind


Since we have not installed bind into our new directory structure lets do it now.


FreeBSD

tar -zxvf bind-9.x.x.tar.gz

cd bind-9.x.x



I configured with threads if you want to go for it if not don’t.



FreeBSD

./configure --prefix=/usr/local/named/ --enable-threads

make install



Now you should see new directories under /usr/local/named



2.4 Bind Data Files


If you already had bind installed and setup the copy the Data files from your current install to the new install path.
If you did not have bind already installed make install just put some new files into /etc.
We need to move those files from /etc and move them into our new bind home directory.
Then give the bind user we created permissions to this directory and the files in it.


FreeBSD

cp -p /etc/named.conf /usr/local/named/etc/

cp -a /var/named/* /usr/local/named/etc/namedb/

chmod 755 /usr/local/named

cd /usr/local/named

chown –R named:named etc

chown named:named var/run





2.5 System support files

For bind to work we need certain system files.

FreeBSD

mknod /usr/local/named/dev/null c 2 2

mknod /usr/local/named/dev/random c 2 3

chmod 666 /usr/local/named/dev/null

chmod 666 /usr/local/named/dev/random



You will need files from /etc as well

FreeBSD

cp /etc/localtime /usr/local/named/etc

cp /etc/passwd /usr/local/named/etc/

cp /etc/group /usr/local/named/etc/

cp /etc/spwd.db /usr/local/named/etc/



We also need some libs

FreeBSD

cd /usr/local/named/
mkdir –p usr/lib usr/libexec
cp /usr/lib/ libc_r.so.4 /usr/local/named/usr/lib
cp /usr/libexec/ ld-elf.so.1 /usr/local/named/usr/libexec


2.5.1 System support files security


I would change permissions on some of the files in our new etc directory.
chflags schg and modify them just to have named user, root and wheel.
This is up to you if you want to do this or not (it could break some things).
chflags schg /usr/local/named/etc/*(*)



2.6 Syslog Modification


Next we need to change how syslog is going to log in the chroot env.


FreeBSD

add this line or modify your current line

vi /etc/rc.conf

syslogd_flags="-s -l /usr/local/named/dev/log"



Stop and Start syslog.

3. Bind Data File Changes

3.1 named.conf


We need to edit a few lines in out named.conf file. I keep mine in /usr/local/named/etc/namedb some people like to keep it in

/usr/local/named/etc its up to you.


Add or modify the following:

FreeBSD

directory "/etc/namedb";

pid-file "/var/run/named.pid";

statistics-file "/var/run/named.stats";

4. Startup


4.1 Init startup script


I like to put this script into /usr/local/etc/rc.d/
That was it will stop and start on boot. You can do it from rc.conf or whever you like to start your daemons.


#!/bin/sh

case "$1" in

start)

# Start daemons.

echo -n "Starting named: "

chroot /usr/local/named/ sbin/named -u named –c /etc/namedb/named.conf

touch /var/run/named.pid

;;

stop)

# Stop daemons.

echo -n "Shutting down named: "

killproc named

rm -f /var/run/named.pid

echo

;;

restart)

$0 stop

$0 start

exit $?

;;

reload)

/usr/local/named/sbin/rndc reload

exit $?

;;

probe)

# named knows how to reload intelligently; we don't want

# to offer to restart every time

/usr/local/named/sbin/rndc reload >/dev/null 2>&1 || echo start

exit 0

;;



*)

echo "Usage: named {start|stop|status|restart|reload}"

exit 1

esac



exit 0





4.2 Start Bind


chroot /usr/local/named/ sbin/named -u named –c /etc/namedb/named.conf


4.3 Start Failed what should I do?


If this does not work run first look at permissions. Try to su the user you created and make sure that user can see and access everything. I had my named directory 700 root:wheel which prevented me from starting at first. I quick fix is to chmod –R named:named /usr/local/named then change back to root files you think don’t need to have that permission. If that fails run this to see if your missing files or where its breaking:



truss chroot /usr/local/named/ sbin/named -u named –c /etc/namedb/named.conf | more



Read more!

Posted by Michael Johnson at 1:41 AM |

Chroot Bind 9 How to - Solaris 8

This document describes installing the BIND 9 nameserver to run in a
chroot jail and as a non-root user, to provide added security and minimise the potntial effects of a security compromise. This is for Bind 9 only and Solaris.







Michael Johnson

V1.0 DEC 28, 2002


Credits:


  • Most people put this at the end but a lot of people don’t make it that far so I am putting them at the beginngin.

  • Rich Mirch Looking over my setup and commenting security and configureation.




1. Introduction


This is the Chroot-BIND HOWTO for solaris. It is assumed that you already know how to configure and use BIND (the Berkeley

Internet Name Domain). If not, please go read the DNS HOWTO and get a good understanding on DNS.


1.1 Latest version


The latest version of this can be found here!


1.2 System


The following worked on my system which is Solaris 8 one with processor.

I hope you have as much luck as I do.


1.3 Disclaimer


The contents of this document worked for myself on the systems mentioned above. I have seen a number of different setups that

work equals as well. This is just how I decided on doing it. I have only installed bind on BSD/Solaris but with slight modifications it

should be portable across the different flavors of UNIX… sometimes those slight modifications are the ones that you can’t figure out

why its not working! If you have any comments/updates please send I will update this document in a timely manner.


2 Pre-Install



2.1 Create Non-root User


Create the user you want bind to run as. I used named. This should create a named group as well.



Solaris 8

#groupadd named

#useradd named -d /usr/local/named -g named

(you might need to specify gid for both groupadd and useradd)



2.2 Create Directory Structure


I like to keep everything under /usr/local/ so mine is as follows:

/usr/local/

+-- named

      +--dev

      +-- etc

      |      +--namedb

      |      +--slave

      +--var

      +--run


Note:other directories will be created with the configure /make


Solaris

mkdir –p /usr/local/named

cd /usr/local/named

mkdir -p {dev,opt,usr,var,etc};

mkdir -p var/{run,log,named} usr/{local,lib};

mkdir -p usr/share/lib/zoneinfo;


2.3 Configure/Make/Install bind


Since we have not installed bind into our new directory structure lets do it now.


Solaris

gzip -d bind-9.x.x.tar.gz

tar -xvf bind-9.x.x.tar

cd bind-9.x.x



I configured with threads if you want to go for it if not don’t.



Solaris

./configure --prefix=/usr/local/named/ --enable-threads

make install



Now you should see new directories under /usr/local/named



2.4 Bind Data Files


If you already had bind installed and setup the copy the Data files from your current install to the new install path.
If you did not have bind already installed make install just put some new files into /etc.
We need to move those files from /etc and move them into our new bind home directory.
Then give the bind user we created permissions to this directory and the files in it.


Solaris

cp -p /etc/named.conf /usr/local/named/etc/

cp -a /var/named/* /usr/local/named/etc/namedb/

chmod 770 /usr/local/named

cd /usr/local/named

chown –R root:named etc

chown root:named var/run







2.5 System support files

For bind to work we need certain system files.

Solaris

cp -p /usr/lib/libnsl.so.1
/usr/lib/libsocket.so.1 /usr/lib/libc.so.1
/usr/lib/libdl.so.1 /usr/lib/libmp.so.2
/usr/local/named/usr/lib
(use ldd to find any others that might be missing)
I found these:
cp /usr/lib/ld.so.1 /usr/lib/nss_files.so.1 /usr/local/named/usr/lib


You will need files from /etc as well

Solaris

cp /etc/(syslog.conf, netconfig,nsswitch.conf ,resolv.conf, TIMEZONE) /usr/local/named/etc

cp /etc/passwd /usr/local/named/etc/ (REMOVE UNNEEDED USERS)

cp /etc/group /usr/local/named/etc/ (REMOVED UNNEEDED GROUPS)

cp /etc/shadow /usr/local/named/etc/ (REMOVE AGAIN!)




We also need some time zone stuff

mkdir -p /usr/local/named/usr/share/lib/zoneinfo
cp -p /usr/share/lib/zoneinfo/MET
/usr/local/named/usr/share/lib/zoneinfo/MET



And devices!

cd /usr/local/named/dev

mknod tcp c 11 42

mknod udp c 11 41

mknod log c 21 5

mknod null c 13 2

mknod zero c 13 12

chgrp sys null zero

mknod conslog c 21 0

mknod syscon c 0 0

chmod 620 syscon

chgrp tty syscon

chgrp sys conslog





2.5.1 System support files security


cd /usr/local/named

chown -R root.named opt var

chmod -R g-w var

chmod -R -w opt usr

chmod -R o-rx .

chmod g+w var/run var/log

touch var/log/all.log var/run/named.pid

chown named.named var/log/all.log var/run/named.pid

find . -type f -exec chmod ug-s {} \;

MAKE SURE THIS RETURNS NOTHING!




2.6 Syslog Modification


Next we need to change how syslog is going to log in the chroot env.


We need to edit a few lines in out named.conf file. I keep mine in /usr/local/named/etc/namedb some people like to keep it in

/usr/local/named/etc its up to you.


Add or modify the following:

Solaris

directory "/etc/namedb";

pid-file "/var/run/named.pid";

statistics-file "/var/run/named.stats";

4. Startup


4.1 Init startup script


I like to put this script into /etc/init.d/ then symlink it to rc2.d
That was it will stop and start on boot. You can do it from wherever you like to start your daemons.



#!/bin/sh

# Determine the process ids of the daemons and no other processes

pids=`/bin/ps -ef | \

/bin/grep named | \

/bin/egrep -v "grep|$$|start|stop" | \

/bin/awk '{printf "%d ", $2}'`

case $1 in

'start')

if [ "$pids" = '' ] ; then

/usr/local/bin/chroot /usr/local/named /sbin/named -u named -c
/etc/namedb/named.conf

else

echo '' 1>&2

echo 'WARNING: /etc/init.d/named.sh already running' 1>&2

echo '' 1>&2

fi

;;

f [ "$pids" != '' ] ; then

if [ -f /usr/local/named/var/run/named.pid ] ; then

/bin/kill -1 `/bin/cat /var/run/named.pid`

elif [ -f /var/run/named.pid ] ; then

/bin/kill -1 `/bin/cat /var/run/named.pid`

else

echo '' 1>&2

echo 'ERROR: missing named pid file' 1>&2

echo '' 1>&2

fi

else

echo '' 1>&2

echo 'ERROR: named is not running' 1>&2

echo '' 1>&2

fi

;;

'stop')

if [ "$pids" != '' ] ; then

/bin/kill $pids

fi

;;

*)

echo '' 1>&2

echo 'usage: /etc/init.d/named.sh {start|reconfigure|stop}' 1>&2

echo '' 1>&2

;;

esac




4.2 Start Bind


./ start


4.3 Start Failed what should I do?


If this does not work run first look at permissions. Try to su the user you created and make sure that user can see and access everything. I had my named directory 700 root:wheel which prevented me from starting at first. I quick fix is to chmod –R named:named /usr/local/named then change back to root files you think don’t need to have that permission. If that fails run this to see if your missing files or where its breaking:



truss more





Read more!

Posted by Michael Johnson at 1:34 AM |

Last posts

Archives

Subscribe to this blog's feed
[What is this?]