on Sun, Oct 03, 2004 at 08:22:12PM +0100, Pigeon ([EMAIL PROTECTED]) wrote: > On Sat, Oct 02, 2004 at 07:44:02PM -0700, Karsten M. Self wrote: > > While I find chroot _installs_ of Debian, as a way of getting the distro > > onto a computer, useful, I wouldn't run a production system as a whole > > in chroot mode. Specific services (e.g.: bind), sure, but that's a > > specialized subcase. > > I see this referred to a lot, and it puzzles me. Bind is a DNS server, > right? Why is a DNS server such a security risk that it should be run > in a chroot jail? Is bind - "the most widely used name server software > on the Internet" - really that buggy? Or have I got the wrong end of > the stick?
There's a long history of bugs and security compromises with BIND. It's a service which accepts data from many different locations, and provides data to many different locations. The data transmission is stateless (UDP), which opens up a number of issues. Among them is that you can't _effectively_ block queries by source because packets can spoof origin. This is rather different from, say, email (SMTP), in which case the connection is both stateful and (if following spec) requires a request/response exchange. While source spoofing is theoretically possible, actual instances of this seem to be pretty rare (possibly speaking more to the ready access to pink-contract, compromised or open proxy/relay systems). There's also a whole class of errors associated with the fundament issue of trusting the data provided by DNS. Think about it: you've got a very efficient, highly cooperative, system, in which a query rarely if ever is answered by an authoritative server, but instead comes from the cache of some arbitary intermediate server. And that's when things are working well. Domain hijacks, spoofs, and just plain typosquatting are possible (and occur with some frequency). The reason for the chroot configuration, though, is a belt-and-suspenders mentality. You've got a tool with a history of buffer overflows. Given that it's still fundamentally vulnerable to these, even if the obvious exploits are avoided and the system as a whole is rearchitected, BIND run as a non-root user in a chroot jail provides limited system access should a successful attack be made. As for what 'sploits there are, Googling "bind vulnerability OR vulnerabilities" should provide a good night's reading. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? user-agent considered harmful. Encourage W3M standards: http://twiki.iwethey.org/Main/UserContentString
signature.asc
Description: Digital signature