You are not logged in.

Pages: 1

#1 2003-08-17 19:02:57

Jagged
Member
From: Blacksburg, VA
Registered: 2003-07-18
Posts: 153

BIND in a chroot jail

I'm trying to got my bind daemon to run in a chroot jail, ive been looking at the init scipts but am a liitle clueless as to how to get the chroot on bootup for bind.

I'm also working on trying to create a different bind package that features the chroot jail.

Why bother with the chroot? It helps with securing the bind daemon, especially if a kernel has some additional chroot restrictions (wolk has this, any kernel with grsecurity has the options as well).

Here's what I've got in the PKGBUILD and install script thats pertinent... feel free to point out any errors. 

PKGBUILD
  #set up chroot jail
  mkdir -p $startdir/pkg/opt/chroot/named
  mkdir $startdir/pkg/opt/chroot/named/dev
  mkdir $startdir/pkg/opt/chroot/named/lib
  mkdir $startdir/pkg/opt/chroot/named/etc
  mkdir -p $startdir/pkg/opt/chroot/named/usr/sbin
  mkdir -p $startdir/pkg/opt/chroot/named/var/run
  mkdir $startdir/pkg/opt/chroot/named/var/named
  install -D -m755 ../named $startdir/etc/rc.d/named
  install -D -m644 ../named.conf $startdir/pkg/opt/chroot/named/etc/named.conf
  install -D -m644 ../127.0.0.zone $startdir/pkg/opt/chroot/named/var/named/127.
0.0.zone
  install -D -m644 ../localhost.zone $startdir/pkg/opt/chroot/named/var/named/lo
calhost.zone
  install -D -m644 ../root.hint $startdir/pkg/opt/chroot/named/var/named/root.hi
nt
  install -D -m644 ../named.logrotate $startdir/pkg/etc/logrotate.d/named
install
post_install() {
  mknod /opt/chroot/named/dev/null c 1 3
  chmod 666 /opt/chroot/named/dev/null
  cp /usr/sbin/named /opt/chroot/named/usr/sbin/
  cp /usr/sbin/named-xfer /opt/chroot/named/usr/sbin/
  chown -R named.named /opt/chroot/named/var/named/

  for i in `ldd /usr/sbin/named | awk {print $3}`;do cp $i /opt/chroot/named/li
b/;done

  cp /etc/localtime /opt/chroot/named/etc/
  cp /etc/nsswitch.conf /chroot/named/etc/

  echo "Please set +i on /opt/chroot/named/etc/nsswitch.conf and /opt/chroot/nam
ed/etc/named.conf"

  useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/nul
l || :
}

Nkawtg...n!

Offline

#2 2003-08-19 17:17:29

Jagged
Member
From: Blacksburg, VA
Registered: 2003-07-18
Posts: 153

Re: BIND in a chroot jail

well i'll be damned... evidently i overlooked that sad

Nkawtg...n!

Offline

Pages: 1

Board footer

Powered by FluxBB