What is the use of having a chroot path during installation of Bind

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the use of having a chroot path during installation of Bind

Harshith Mulky

Hello,


When installing bind, the following 2 are installed


bind-9.8.2-0.17.rc1.el6.x86_64
bind-chroot-9.8.2-0.17.rc1.el6.x86_64


What is the need of this bind-chroot?



I see all files in /var/named path are softlinks to /var/named/chroot/var/named


and


/etc/named.conf is softlink to /var/named/chroot/etc/named.conf




What is this chroot binding? And why is this chroot Binding Required?



Can the named server function without this chroot Binding?



Thanks

Harshith


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: What is the use of having a chroot path during installation of Bind

Mike Hoskins (michoski)
Yes you can run without the chroot.  Years ago it was considered best practice to chroot and most power users would have said you were insane not to do so.  Now there are increasingly many who say it's not worth the effort (fairly easy to get around in many cases) -- do a bit of google engineering and you will see pros/cons.

If you are using packages from your distro (looks like it from the "el6" and ancient version) this will often just be pulled in by default.  If you build your own packages, use upstream repos, ISC packages or something like this:

http://www.five-ten-sg.com/mapper/bind

Then you can just install without the chroot.  Entirely up to you, BIND can work either way.  As I said, if you search a bit you'll find older "best practices" like these which suggest chroot (note the dates!):

https://www.cymru.com/Documents/secure-bind-template.html

https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-how-to-build-and-run-named-with-a-basic-recursive-configuration.html

Then increasing amounts of documentation saying it is largely irrelevant due to adding minimal value due to some known issues in the chroot mechanism itself, named -u, etc:

https://deepthought.isc.org/article/AA-00874/0

"""
If following the preceding advice (running BIND as an unprivileged user on a dedicated server) chrooting is "de-emphasized." Our operations experts feel that chrooting does not substantially improve security under those conditions and do not affirmatively recommend it, but they do not explicitly discourage it.
"""

From: <[hidden email]> on behalf of Harshith Mulky <[hidden email]>
Date: Thursday, January 14, 2016 at 1:46 AM
To: "[hidden email]" <[hidden email]>
Subject: What is the use of having a chroot path during installation of Bind

Hello,


When installing bind, the following 2 are installed


bind-9.8.2-0.17.rc1.el6.x86_64
bind-chroot-9.8.2-0.17.rc1.el6.x86_64


What is the need of this bind-chroot?



I see all files in /var/named path are softlinks to /var/named/chroot/var/named


and


/etc/named.conf is softlink to /var/named/chroot/etc/named.conf




What is this chroot binding? And why is this chroot Binding Required?



Can the named server function without this chroot Binding?



Thanks

Harshith


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: What is the use of having a chroot path during installation of Bind

John Miller
Thanks for the advice, Mike.  We chrooted our install because it was
"best practice" security-wise, but from an administration standpoint,
it's been a bit of a headache: for example, you have to keep straight
what goes in /etc and /var/named/chroot/etc, you end up setting a
$BIND_CHROOT environment variable for everyone to keep paths shorts at
the CLI, etc.

I'd recommend _not_ chrooting for internal-only servers: it hasn't
been worth the trouble for us.  For public-facing nameservers, I'd
consider a little more carefully, but with everything running on its
own VM these days, plus SELinux, containers, etc., there are tools out
there that provide at least the security of a chroot environment, and
almost certainly better.  The days of "hardware's expensive; let's run
everything on one box," where a chroot environment might have been
valuable, are _way_ behind us!

John

On Thu, Jan 14, 2016 at 10:42 AM, Mike Hoskins (michoski)
<[hidden email]> wrote:

> Yes you can run without the chroot.  Years ago it was considered best
> practice to chroot and most power users would have said you were insane not
> to do so.  Now there are increasingly many who say it's not worth the effort
> (fairly easy to get around in many cases) -- do a bit of google engineering
> and you will see pros/cons.
>
> If you are using packages from your distro (looks like it from the "el6" and
> ancient version) this will often just be pulled in by default.  If you build
> your own packages, use upstream repos, ISC packages or something like this:
>
> http://www.five-ten-sg.com/mapper/bind
>
> Then you can just install without the chroot.  Entirely up to you, BIND can
> work either way.  As I said, if you search a bit you'll find older "best
> practices" like these which suggest chroot (note the dates!):
>
> https://www.cymru.com/Documents/secure-bind-template.html
>
> https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-how-to-build-and-run-named-with-a-basic-recursive-configuration.html
>
> Then increasing amounts of documentation saying it is largely irrelevant due
> to adding minimal value due to some known issues in the chroot mechanism
> itself, named -u, etc:
>
> https://deepthought.isc.org/article/AA-00874/0
>
> """
> If following the preceding advice (running BIND as an unprivileged user on a
> dedicated server) chrooting is "de-emphasized." Our operations experts feel
> that chrooting does not substantially improve security under those
> conditions and do not affirmatively recommend it, but they do not explicitly
> discourage it.
> """
>
> From: <[hidden email]> on behalf of Harshith Mulky
> <[hidden email]>
> Date: Thursday, January 14, 2016 at 1:46 AM
> To: "[hidden email]" <[hidden email]>
> Subject: What is the use of having a chroot path during installation of Bind
>
> Hello,
>
>
> When installing bind, the following 2 are installed
>
>
> bind-9.8.2-0.17.rc1.el6.x86_64
> bind-chroot-9.8.2-0.17.rc1.el6.x86_64
>
>
> What is the need of this bind-chroot?
>
>
>
> I see all files in /var/named path are softlinks to
> /var/named/chroot/var/named
>
>
> and
>
>
> /etc/named.conf is softlink to /var/named/chroot/etc/named.conf
>
>
>
>
> What is this chroot binding? And why is this chroot Binding Required?
>
>
>
> Can the named server function without this chroot Binding?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: What is the use of having a chroot path during installation of Bind

Reindl Harald


Am 14.01.2016 um 21:48 schrieb John Miller:
> Thanks for the advice, Mike.  We chrooted our install because it was
> "best practice" security-wise, but from an administration standpoint,
> it's been a bit of a headache: for example, you have to keep straight
> what goes in /etc and /var/named/chroot/etc, you end up setting a
> $BIND_CHROOT environment variable for everyone to keep paths shorts at
> the CLI, etc.

no, you need to just put a symlink

how often do you *by hand* touch things?
normally anything is done with backends and scripts

so after once configured it don't matter if things are bekow
/var/named/chroot/ or on a higher directory - is it worth - well, the
question is "does it harm" and it don't after initial deployment when
done right

security is about layers


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What is the use of having a chroot path during installation of Bind

John Miller
On Thu, Jan 14, 2016 at 4:01 PM, Reindl Harald <[hidden email]> wrote:

>
>
> Am 14.01.2016 um 21:48 schrieb John Miller:
>>
>> Thanks for the advice, Mike.  We chrooted our install because it was
>> "best practice" security-wise, but from an administration standpoint,
>> it's been a bit of a headache: for example, you have to keep straight
>> what goes in /etc and /var/named/chroot/etc, you end up setting a
>> $BIND_CHROOT environment variable for everyone to keep paths shorts at
>> the CLI, etc.
>
>
> no, you need to just put a symlink

Fair enough.

> how often do you *by hand* touch things?

Only when something's not working as expected, or when we want to
verify that configuration has changed.

> normally anything is done with backends and scripts

Yep - via Puppet and scripting for us, mostly.

> so after once configured it don't matter if things are bekow
> /var/named/chroot/ or on a higher directory - is it worth - well, the
> question is "does it harm" and it don't after initial deployment when done
> right

For the most part, I agree with you here.  That said, for someone with
very little BIND and Unix experience--say someone who primarily
manages Windows--to come in and understand a chrooted installation
isn't as easy as a non-chrooted install.  Granted, it's probably
easier than getting up to speed on SELinux, but you're still adding a
learning curve.

> security is about layers

Agreed as well - you need to keep up on patches, limit access, use
firewalls, set up secure zone transfers, rotate keys, use an
unprivileged user, architect your systems properly, etc.  I can also
see benefit in a chroot environment guarding against OS-level
attacks--key loggers, trojans, unauthorized daemons, shell
vulnerabilities, etc.: the attacker's damage is limited to BIND.
Likewise, if your server is in privileged network space, it may be
able to compromise other systems more easily.  Sounds like my original
reply was glib and misleading here.  I still think "what's the
tradeoff between ease of use and knowledge transfer" versus security
is worth discussion, however.

John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: What is the use of having a chroot path during installation of Bind

Reindl Harald


Am 14.01.2016 um 22:37 schrieb John Miller:

> On Thu, Jan 14, 2016 at 4:01 PM, Reindl Harald <[hidden email]> wrote:
>> normally anything is done with backends and scripts
>
> Yep - via Puppet and scripting for us, mostly.
>
>> so after once configured it don't matter if things are bekow
>> /var/named/chroot/ or on a higher directory - is it worth - well, the
>> question is "does it harm" and it don't after initial deployment when done
>> right
>
> For the most part, I agree with you here.  That said, for someone with
> very little BIND and Unix experience--say someone who primarily
> manages Windows--to come in and understand a chrooted installation
> isn't as easy as a non-chrooted install
sorry, but someone with "very little BIND and Unix experience" should
not reach a level on a server where he recognizes a differene *until* he
has expierience

sacrifice any level of security just because someone may not understand
a proper setup is for sure not the way to go

in case of "all of your bind config is below /var/named/chroot/" it
should be enough told once to understand how to deal with it and if not
it's a good sign to remove acess for the person given that on
CentOS/RHEL/Fedora bind-chroot works out-of-the-box without any intervention


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment