The following steps were used to create a chroot jail with BIND 9. These steps were used on a Solaris 8 system, although they may work on other UNIX platforms.
These instructions assume a working non-chrooted BIND installation with configuration file /etc/named.conf and zone files in /var/named.
1. Create named user and chroot jail.
groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named
mkdir -m 750 /home/named
cd /home/named
mkdir -p dev etc lib usr/sbin var/named var/run
mknod dev/null c 1 3
chown named:named /home/named
chown named:named /home/named/var/named
chown named:named /home/named/var/run
2. Move the BIND configuration file, root hints file, and localhost reverse zone file to the chroot jail.
mv /etc/named.conf etc
mv /var/named/named.ca /home/named/var/named
mv /var/named/named.local /home/named/var/named
rmdir /var/named
3. Copy the timezone information into the chroot jail. Otherwise, BIND will use a GMT timestamp when sending messages to syslog. In this example, the TIMEZONE is WET.
mkdir -p /home/named/usr/share/lib/zoneinfo
cp -p /usr/share/lib/zoneinfo/WET /home/named/usr/share/lib/zoneinfo
4. Modify the BIND startup/shutdown script (/etc/init.d/named) to run in the chrooted environment as the named user.
#!/bin/sh
case $1 in
'start' )
/usr/local/sbin/named -u 53 -t /home/named
;;
'stop' )
/usr/local/sbin/rndc stop
;;
*)
echo "usage: $0 {start|stop}"
esac
5. Start BIND.
/etc/init.d/named start
0 comments:
Post a Comment