Subject: proposals for running named in a non-root chroot cage
To: None <tech-security@netbsd.org>
From: Luke Mewburn <lukem@wasabisystems.com>
List: tech-security
Date: 03/09/2001 04:30:04
I've been investigating methods of changing the default startup
mechanism for named(8) to run as a non-root user inside a chroot
cage.

I've already created a named user and group in the default passwd
and group files, and an example chroot cage under /var/named.

There's a couple of different ways I've investigated for changing
the default setup to run as described above:

1. Change the following /etc/defaults/rc.conf entries to:
	syslogd_flags="-s -p /var/run/log -p /var/named/var/run/log"
	named_flags="-u named -g named -t /var/named /etc/namedb/named.conf"

    Pros:
	+ Less work

    Cons:
	- A user override in /etc/rc.conf of named_flags or
	  syslog_flags loses the setup.

	- Assumes chroot cage is in /var/named

	- Needs a migration tool to setup or copy the following:
		/var/named/usr/libexec/named-xfer
		/var/named/dev/null

	- Startup script for named needs to ensure
		/var/run/named.pid symlink to /var/named//var/run/named.pid
		/var/run/ndc symlink to /var/named//var/run/ndc

	- Needs a migration of /etc/namedb/* to /var/named/etc/namedb/*


2. Change /etc/rc.d/syslogd and /etc/rc.d/named to run named in a
   chroot cage if $named_chrootdir != "", and add the following to
   /etc/defaults/rc.conf:
	named_chrootdir="/var/named"

    Pros:
	+ User overrides of named_flags and syslogd_flags in /etc/rc.conf
	  do not negate the behaviour

	+ Chroot cage location can be overridden (although the
	  /etc/mtree/NetBSD.dist may have to updated)

	+ Ensures that named-xfer, dev/null, and the /var/run symlinks
	  are in place

    Cons:
	- Needs a migration of /etc/namedb/* to /var/named/etc/namedb/*


To me, it's obvious that option `2.' is the better one, if I can
cleanly lick the problem of migrating /etc/namedb to
${named_chrootdir}/etc/namedb.

Should we go `2.' and then:
	- change the build system to populate /var/named/ by default
	  (with named-xfer, the example etc/namedb, ...)
	- add a migration mechanism to /etc/rc.d/named which detects
	  if /etc/namedb isn't a symlink, and if it isn't, copies the
	  contents to /var/namedb and makes it a symlink. This could
	  be dangerours
	- alternatively, consider a manual migration tool/process.
?


-- 
Luke Mewburn  <lukem@wasabisystems.com>  http://www.wasabisystems.com
Luke Mewburn     <lukem@netbsd.org>      http://www.netbsd.org
Wasabi Systems - providing NetBSD sales, support and service.