Fw: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Nov 13 12:15:25 GMT 2002 

On Wed, Nov 13, 2002 at 10:56:42AM +0000, Lou Kamenov wrote:
> In some email I received from Lou Kamenov <lou.kamenov at aeye.net> on Wed,
> 13 Nov 2002 10:49:56 +0000 :
> 
> --everybody that uses bind with Round Robin should chroot it.
> ++everybody should chroot it.

Absolutely.  I found it was a lot easier to set up a chroot bind with
bind 9 --- since there's no separate named-xfer binary, you don't need
to muck about with generating static executables, and you can just
install the bind-9.2.1 port under the default /usr/local rather than
inside your chroot area.

There are quite a few tutorials about how to set up a chroot bind
around the net, but here in short is what I found necessary in order
to get a chroot'ed bind 9.2.1 working under /var/named:

    portinstall net/bind9

    echo 'named_enable="YES"' >> /etc/rc.conf
    echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf
    echo 'named_flags="-c /etc/namedb/named.conf -u bind -t /var/named" \
        >> /etc/rc.conf
    echo syslogd_flags="-ss -l /var/named/var/run/log" >> /etc/rc.conf

    mkdir -p /var/named/{dev,etc/namedb,var/run}
    mkdir -p /var/named/etc/namedb/{p,s,dump}
    chown bind:bind /var/named/etc/namedb/{s,dump} /var/named/var/run
    cd /var/named/dev
    cp /dev/MAKEDEV .
    sh ./MAKEDEV std
    rm -rf fd console kmem mem io klog pci

    [ That should leave just null, random, stderr, stdin, stdout, tty
      urandom and zero --- some of those are probably superfluous too]

    cd /var/named/etc
    cp /etc/localtime localtime

    cd /var/named/etc/namedb
    cp /etc/namedb.{conf,root} .

    Copy zone files -- I use /var/named/etc/namedb/p for zones I'm the
    master (primary) of, and /var/named/etc/namedb/s for zones I
    secondary, and /var/named/etc/namedb/dump for cache dumps and
    statistics.  Don't forget the localhost stuff.  Edit named.conf
    accordingly --- since we're going to be running chroot'ed you want

    options {
        directory   "/etc/namedb";

        [...]
    };

And it's a good idea to run

    /usr/local/sbin/rndc-confgen > /usr/local/etc/rndc.conf

and edit the commented out stuff it generates at the end of that file
into named.conf.

Kill and restart syslogd with the new flags, then kill the old named
and fire up new one::

    /usr/local/sbin/named -c /etc/namedb/named.conf -u bind -t /var/named

Check for errors in /var/log/messages. Fix.  Restart. etc.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

More information about the Ukfreebsd mailing list