BIND chroot jail on Solaris

BIND chroot jail on Solaris

Note: Although this document was originally written to create a BIND 8.2.3 chroot jail for Solaris 7, it may work with other versions of BIND and Solaris. I have personally used both BIND 8.2.3 and (after upgrading) BIND 9.2.2 on a Solaris 7 system using the chroot jail detailed below.

Thanks to Sean Boran for his "Installing BIND v8 chroot'ed on Solaris 7." Much of the information on this page was obtained from his installation guide.

In this BIND chroot jail example, the named daemon is executed as the named user (UID 53, GID 53). The chroot jail is the /home/dns directory. This document assumes BIND is already installed with binaries in /usr/local, configuration files in /usr/local/etc, and DNS data in /var/dns.

Upgrading your BIND chroot jail

If you already have a BIND chroot jail configured, and want to upgrade to a new version of BIND, perform the following commands after running make install. These steps assume you installed BIND to the standard /usr/local directory tree.

for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/dns/usr/lib
done

cd /home/dns/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -

cd /home/dns/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -

Restart BIND to enable the new version.

Creating an initial BIND chroot jail

To create a BIND chroot jail from scratch, perform the following steps:

1. Create named user and chroot jail.

groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named

mkdir -m 750 /home/named
cd /home/named
mkdir -p dev opt usr var etc var/run var/log var/dns usr/local usr/lib usr/share/lib/zoneinfo
cp /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE etc

2. Copy libraries into chroot jail. Note: there is not a named-xfer in the BIND 9.x series.

BIND 8.x:

for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'`
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/named/usr/lib
done

BIND 9.x:
for i in `ldd /usr/local/sbin/named | awk '{print $3}'` (BIND 9)
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/named/usr/lib
done

cp /usr/lib/ld.so.1 /home/named/usr/lib

3. Create device files in the chrooted environment.

cd /home/named/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog

4. Copy BIND to chroot jail and set appropriate permissions.

cd /home/named
mkdir -p usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc
chmod 755 usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc

cd /home/named/usr/local/sbin

BIND 8.x:
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -

BIND 9.x:
(cd /usr/local/sbin; tar cf - dnssec-keygen named* rndc rndc-confgen) | tar xvf -

cd /home/named/usr/local/bin

BIND 8.x:
(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -

BIND 9.x:
(cd /usr/local/bin; tar cf - dig host nslookup nsupdate) | tar xvf -

cd /home/named/usr/local
cp /usr/local/etc/named.conf etc
(cd /usr/local; tar cf - bind) | tar xvf -
chown -R root:named *
chmod 775 etc

cd /home/named/var/
(cd /var/dns; tar cf - *) | tar xvf -

cd /home/named
chown -R root:named opt var
chmod -R g-w var
chmod -R o-rx .
chmod g+w var/run var/log
touch var/log/all.log var/run/named.pid
chown named:named var/log/all.log var/run/named.pid
find . -type f | xargs chmod ug-s

5. Start BIND.

BIND 8.x:
/usr/local/sbin/named -u 53 -g 53 -t /home/named

BIND 9.x:
/usr/local/sbin/named -u 53 -t /home/named

Make sure to modify your BIND startup/shutdown script to execute BIND as a non-privileged user within the chroot jail. Compare your copy to the following /etc/init.d/named script.

BIND 8.x:

#!/bin/sh case $1 in 'start' ) /usr/local/sbin/named -u 53 -g 53 -t /home/named ;; 'stop' ) kill `ps -ef | grep named | grep -v grep | awk '{print $2}'` > /dev/null 2>&1 ;; *) echo "usage: $0 {start|stop}" esac

BIND 9.x:

#!/bin/sh case $1 in 'start' ) /usr/local/sbin/named -u 53 -t /home/named ;; 'stop' ) kill `ps -ef | grep named | grep -v grep | awk '{print $2}'` > /dev/null 2>&1 ;; *) echo "usage: $0 {start|stop}" esac

Back to brandonhutchinson.com.

Last modified: 03/17/2003