chroot



Chroot

Another further step in protecting our name server is working in a chroot environment. To better understand this, let’s see briefly what a chroot environment is.
A chroot is an operation that changes the apparent root directory of the current process, so that this program can’t access files that reside below its working directory. Let’s see an example.
We log on to our server and create a new folder. Later, this folder will become the apparent root directory.
1   [root@delphos ∼]# mkdir -p /new/root
We can try to chroot the user session with the chroot command.
1   [root@delphos ∼]# chroot /new/root/
2   chroot: failed to run command /bin/bash: No such file or directory
As we see, we have to access /bin/bash to chroot the user session. So we create a bin subfolder and copy the bash file in it.
1   [root@delphos ∼]# mkdir /new/root/bin
2   [root@delphos ∼]# cp /bin/bash /new/root/bin/
However, we’re not done yet. If we try to run chroot again, we get the same error.
1   [root@delphos ∼]# chroot /new/root/
2   chroot: failed to run command /bin/bash: No such file or directory
This is due to the fact that the bash executable file is dynamically linked and has to access a series of libraries. We can find out what libraries it needs by using the ldd command. Note: Libraries will vary, depending on the exact version of the operating system.
1   [root@delphos ∼]# ldd /bin/bash
2           linux-vdso.so.1 =>         (0x00007fffc57fe000)
3           libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f76faeb3000)
4           libdl.so.2 => /lib64/libdl.so.2 (0x00007f76facaf000)
5           libc.so.6 => /lib64/libc.so.6 (0x00007f76fa8ed000)
6           /lib64/ld-linux-x86-64.so.2 (0x00007f76fb0f1000)
So, we create a new subfolder and copy the required files.
1   [root@delphos ∼]# mkdir /new/root/lib64
2   [root@delphos ∼]# cp /lib64/libtinfo.so.5 /new/root/lib64/
3   [root@delphos ∼]# cp /lib64/libdl.so.2 /new/root/lib64/
4   [root@delphos ∼]# cp /lib64/libc.so.6 /new/root/lib64/
5   [root@delphos ∼]# cp /lib64/ld-linux-x86-64.so.2 /new/root/lib64/
Now we can execute chroot.
1   [root@delphos ∼]# chroot /new/root/
2   bash-4.2#
If we type “pwd,” the system will tell us that we are already at the root directory, and we won’t be able to access other folders outside of the chroot environment.
1   bash-4.2# pwd
2   /
3   bash-4.2# cd ..
4   bash-4.2# pwd
5   /
This is an extremely simple chroot environment meant only as a proof of concept. If we try, for example, to list the directory contents with the ls command, we’ll get an error, because we haven’t copied the ls file and the libraries it depends on to run. Besides, we should also have created some other folders, such as a dev subfolder, etc.
Once we’ve completed this little experiment, we leave the chroot environment and remove the folder we created.
1   bash-4.2# exit
2   exit
3   [root@delphos ∼]# rm -rf /new/root/
As a chrooted service can’t access folders or files outside of its home directory, it is considered a good practice. Thus, if the named service gets compromised, it will only be able to access the content of its home directory.
If we want the named service to execute in a chroot environment, we could do it manually, as we have done before with our “proof of concept.” But, fortunately, there is a much easier way. We only need to install the bind-root package.
1   [root@delphos ∼]# yum install bind-chroot
Right after installing the package, we see that a new subfolder has been created below /var/named. This subfolder contains all the necessary files and folders for named to work properly.
1   [root@delphos ∼]# ls -l /var/named/chroot/
2   total 0
3   drwxr-x---. 2 root  named 41 Sep 26 12:02 dev
4   drwxr-x---. 4 root  named 44 Sep 26 12:02 etc
5   drwxr-x---. 3 root  named 18 Sep 26 12:02 run
6   drwxrwx---. 3 named named 18 Sep 26 12:02 usr
7   drwxr-x---. 5 root  named 48 Sep 26 12:02 var
Right after installing bind-root, the named service will already be running in a chroot environment in CentOS 6.
However, in CentOS 7, we still have to start this service.
1   [root@delphos ∼]# systemctl start named-chroot
We must make sure that the service starts automatically every time the system boots.
 1   [root@delphos ∼]# systemctl enable named-chroot
 2   ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-\
 3   user.target.wants/named-chroot.service'

Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all