2000-04-26 18:26:31 +00:00
|
|
|
<!doctype linuxdoc system>
|
|
|
|
|
|
|
|
<article>
|
|
|
|
|
|
|
|
<!-- Title information -->
|
|
|
|
|
|
|
|
<title>Chroot-BIND HOWTO
|
2000-06-26 18:51:19 +00:00
|
|
|
<author>Scott Wunsch, <tt>scott at wunsch.org</>
|
|
|
|
<date>v1.1, 24 June 2000
|
2000-04-26 18:26:31 +00:00
|
|
|
<abstract>
|
|
|
|
This document describes installing the BIND 8 nameserver to run in a chroot
|
|
|
|
jail and as a non-root user, to provide added security and minimise the
|
|
|
|
potential effects of a security compromise.
|
|
|
|
</abstract>
|
|
|
|
|
|
|
|
<!-- Table of contents -->
|
|
|
|
<toc>
|
|
|
|
|
|
|
|
<!-- Begin the document -->
|
|
|
|
|
|
|
|
<sect>Introduction
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
This is the Chroot-BIND HOWTO; see <ref id="where" Name="Where?"> for the master
|
|
|
|
site, which contains the latest copy. It is assumed that you already know how
|
|
|
|
to configure and use BIND (the Berkeley Internet Name Domain). If not, I would
|
|
|
|
recommend that you read the DNS HOWTO first. It is also assumed that you have
|
|
|
|
a basic familiarity with compiling and installing software on your UNIX-like
|
2000-04-26 18:26:31 +00:00
|
|
|
system.
|
|
|
|
|
|
|
|
<sect1>What?
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
This document describes some extra security precautions that you can take when
|
|
|
|
you install BIND. It explains how to configure BIND so that it resides in a
|
|
|
|
``chroot jail'', meaning that it cannot see or access files outside its own
|
|
|
|
little directory tree. We shall also configure it to run as a non-root user.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
The idea behind chroot is fairly simple. When you run BIND (or any other
|
2000-06-26 18:51:19 +00:00
|
|
|
process) in a chroot jail, the process is simply unable to see any part of the
|
|
|
|
filesystem outside the jail. For example, in this document, we'll set BIND up
|
|
|
|
to run chrooted to the directory <tt>/chroot/named</>. Well, to BIND, the
|
2000-04-26 18:26:31 +00:00
|
|
|
contents of this directory will appear to be <tt>/</>, the root directory.
|
|
|
|
Nothing outside this directory will be accessible to it. You've probably
|
|
|
|
encounted a chroot jail before, if you've ever ftped into a public system.
|
|
|
|
|
|
|
|
<sect1>Why?
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The idea behind running BIND in a chroot jail is to limit the amount of access
|
2000-06-26 18:51:19 +00:00
|
|
|
any malicious individual could gain by exploiting vulnerabilities in BIND. It
|
|
|
|
is for the same reason that we run BIND as a non-root user.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
This should be considered as a supplement to the normal security precautions
|
2000-06-26 18:51:19 +00:00
|
|
|
(running the latest version, using access control, etc.), not a replacement for
|
|
|
|
them.
|
|
|
|
|
|
|
|
If you're interested in DNS security, you might also be interested in a few
|
|
|
|
other products. Building BIND with <url
|
|
|
|
url="http://www.immunix.org/products.html#stackguard" name="StackGuard"> would
|
|
|
|
probably be a good idea for even more protection. Using it is easy; it's
|
|
|
|
just like using ordinary gcc. Also, <url
|
|
|
|
url="http://cr.yp.to/dnscache.html" name="DNScache"> is a secure replacement
|
|
|
|
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
|
|
|
|
appears to follow a similar philosophy.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Where?<label id="where">
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
The latest version of this document is always available from the web site of the
|
|
|
|
Linux/Open Source Users of Regina, Sask., at <url
|
|
|
|
url="http://www.losurs.org/docs/howto/Chroot-BIND.html">.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
BIND is available from <url url="http://www.isc.org/" name="the Internet
|
2000-06-26 18:51:19 +00:00
|
|
|
Software Consortium"> at <url url="http://www.isc.org/bind.html">. As of this
|
|
|
|
writing, the current version of BIND is 8.2.2_P5.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>How?
|
|
|
|
|
|
|
|
<p>
|
|
|
|
I wrote this document based on my experiences in setting BIND up in a chroot
|
|
|
|
environment. In my case, I already had an existing BIND installation in the
|
2000-06-26 18:51:19 +00:00
|
|
|
form of a package that came with my Linux distribution. I'll assume that most
|
|
|
|
of you are probably in the same situation, and will simply be transferring over
|
|
|
|
and modifying the configuration files from your existing BIND installation, and
|
2000-04-26 18:26:31 +00:00
|
|
|
then removing the package before installing the new one. Don't remove the
|
|
|
|
package yet, though; we may want some files from it first.
|
|
|
|
|
|
|
|
If this is not the case for you, you should still be able to follow this
|
|
|
|
document. The only difference is that, where I refer to copying an existing
|
2000-06-26 18:51:19 +00:00
|
|
|
file, you first have to create it yourself. The DNS HOWTO may be helpful for
|
|
|
|
this.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Disclaimer
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
These steps worked for me, on my system. Your mileage may vary. This is but
|
|
|
|
one way to approach this; there are other ways to set the same thing up
|
|
|
|
(although the general approach will be the same). It just happens that this
|
|
|
|
was the first way that I tried that worked, so I wrote it down.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
My BIND experience to date has been installing on Linux servers. However, most
|
|
|
|
of the instructions in this document should be easily applicable to other
|
|
|
|
flavours of UNIX as well, and I shall try to point out differences of which I am
|
|
|
|
aware.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect>Preparing the Jail
|
|
|
|
|
|
|
|
<sect1>Creating a User
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
As mentioned in the introduction, it's not a good idea to run BIND as root. So,
|
|
|
|
before we begin, let's create a separate user for BIND. Note that you should
|
|
|
|
never use an existing user like <tt>nobody</> for this purpose.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
This requires adding a line something like the following to <tt>/etc/passwd</>:
|
|
|
|
<tscreen><verb>
|
|
|
|
named:x:200:200:Nameserver:/chroot/named:/bin/false
|
|
|
|
</verb></tscreen>
|
|
|
|
And one like this to <tt>/etc/group</>:
|
|
|
|
<tscreen><verb>
|
|
|
|
named:x:200:
|
|
|
|
</verb></tscreen>
|
2000-06-26 18:51:19 +00:00
|
|
|
This creates a user and group called <tt>named</> for BIND. Make sure that the
|
|
|
|
UID and GID (both 200 in this example) are unique on your system. The shell is
|
|
|
|
set to <tt>/bin/false</> because this user will never need to log in.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Directory Structure
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
Now, we must set up the directory structure that we will use for the chroot jail
|
|
|
|
in which BIND will live. This can be anywhere on your filesystem; the truly
|
|
|
|
paranoid may even want to put it on a separate volume. I shall assume that you
|
|
|
|
will use <tt>/chroot/named</>. Let's start by creating the following directory
|
|
|
|
structure:
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
/chroot
|
|
|
|
+-- named
|
|
|
|
+-- bin
|
|
|
|
+-- dev
|
|
|
|
+-- etc
|
|
|
|
| +-- namedb
|
|
|
|
+-- lib
|
|
|
|
+-- var
|
|
|
|
+-- run
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
<sect1>Placing the BIND Data
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
Assuming that you have already done a conventional installation of BIND and are
|
|
|
|
using it, you will already have an existing <tt>named.conf</> and zone files.
|
|
|
|
These files must now be moved (or copied, to be safe) into the chroot jail, so
|
|
|
|
that BIND can get at them. <tt>named.conf</> goes in <tt>/chroot/named/etc</>,
|
|
|
|
and the zone files can go in <tt>/chroot/named/etc/namedb</>. For example:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# cp -p /etc/named.conf /chroot/named/etc/
|
|
|
|
|
|
|
|
# cp -a /var/named/* /chroot/named/etc/namedb/
|
|
|
|
</verb></tscreen>
|
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
BIND will likely need to write to the <tt>namedb</> directory, and probably some
|
|
|
|
of the files in it. For example, if your DNS serves as a slave for a zone, it
|
|
|
|
will have to update that zone file. Also, BIND can dump statistical
|
|
|
|
information, and does so in this directory. For that reason, you should
|
|
|
|
probably make the <tt>named</> user the owner of this directory and its contents:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# chown -R named:named /chroot/named/etc/namedb
|
|
|
|
</verb></tscreen>
|
|
|
|
BIND will also need to write to the <tt>/var/run</> directory, to put its
|
|
|
|
pidfile and ndc socket there, so let's allow it to do so:
|
|
|
|
<tscreen><verb>
|
|
|
|
# chown named:named /chroot/named/var/run
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
<sect1>System Support Files
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
Once BIND is running in the chroot jail, it will not be able to access files
|
|
|
|
outside the jail <bf>at all</>. However, it needs to access a few key files, such
|
|
|
|
as the system's C library. Exactly what libraries are required will depend on
|
|
|
|
your flavour of UNIX. For most modern Linux systems, the following commands
|
|
|
|
will be sufficient to put the necessary libraries in place:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# cd /chroot/named/lib
|
|
|
|
# cp -p /lib/libc-2.*.so .
|
|
|
|
# ln -s libc-2.*.so libc.so.6
|
|
|
|
# cp -p /lib/ld-2.*.so .
|
|
|
|
# ln -s ld-2.*.so ld-linux.so.2
|
|
|
|
</verb></tscreen>
|
2000-06-26 18:51:19 +00:00
|
|
|
As an alternative, you could simply build statically-linked versions of the BIND
|
|
|
|
binaries to put in your chroot jail. You should also copy <tt>ldconfig</> into
|
|
|
|
the jail, and run it to create an <tt>etc/ld.so.conf</> for the jail environment.
|
|
|
|
The following commands could take care of this:
|
|
|
|
<tscreen><verb>
|
|
|
|
# cp /sbin/ldconfig /chroot/named/bin/
|
|
|
|
# chroot /chroot/named /bin/ldconfig -v
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
BIND needs one more system file in its jail: good ol' <tt>/dev/null</>. Again,
|
|
|
|
the exact command necessary to create this device node may vary from system to
|
|
|
|
system; check your <tt>/dev/MAKEDEV</> script to be sure. Some systems may also
|
|
|
|
require <tt>/dev/zero</>. For most Linux systems, we can use the following
|
|
|
|
command:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# mknod /chroot/named/dev/null c 1 3
|
|
|
|
</verb></tscreen>
|
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
Finally, you need a couple extra files in the <tt>/etc</> directory inside the
|
|
|
|
jail. In particular, you must copy <tt>/etc/localtime</> (this sometimes known
|
|
|
|
as <tt>/usr/lib/zoneinfo/localtime</> on some systems) in there so that BIND
|
|
|
|
logs things with the right time on them, and you must make a simple <tt/group/
|
|
|
|
file with the <tt/named/ group in it. The following two commands will take care
|
|
|
|
of this:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# cp /etc/localtime /chroot/named/etc/
|
|
|
|
|
|
|
|
# echo 'named:x:200:' > /chroot/named/etc/group
|
|
|
|
</verb></tscreen>
|
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
Keep in mind that the GID, 200 in this example, must match the one you defined
|
|
|
|
in the real <tt>/etc/group</> above.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Logging<label id="logging">
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
Unlike a conventional jailbird, BIND can't just scribble its log entries on the
|
|
|
|
walls :-). Normally, BIND logs through <tt/syslogd/, the system logging daemon.
|
|
|
|
However, this type of logging is performed by sending the log entries to the
|
|
|
|
special socket <tt>/dev/log</>. Since this is outside the jail, BIND can't use
|
|
|
|
it any more. Fortuantely, there are a couple options to work around this.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect2>The Ideal Solution
|
|
|
|
|
|
|
|
<p>
|
|
|
|
The ideal solution to this dilemma requires a reasonably recent version of
|
|
|
|
<tt/syslogd/ which supports the <tt/-a/ switch introduced by OpenBSD. Check the
|
|
|
|
manpage for your <tt/syslogd(8)/ to see if you have such a version.
|
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
If you do, all you have to do is add the switch ``<tt>-a
|
|
|
|
/chroot/named/dev/log</>'' to the command line when you launch <tt/syslogd/. On
|
2000-04-26 18:26:31 +00:00
|
|
|
systems which use a full SysV-init (which includes most Linux distributions),
|
2000-06-26 18:51:19 +00:00
|
|
|
this is typically done in the file <tt>/etc/rc.d/init.d/syslog</>. For example,
|
|
|
|
on my Red Hat Linux system, I changed the line
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
daemon syslogd -m 0
|
|
|
|
</verb></tscreen>
|
|
|
|
to
|
|
|
|
<tscreen><verb>
|
|
|
|
daemon syslogd -m 0 -a /chroot/named/dev/log
|
|
|
|
</verb></tscreen>
|
2000-06-26 18:51:19 +00:00
|
|
|
The simply restart <tt/syslogd/, either by killing it and launching it again, or
|
|
|
|
by using the SysV-init script to do it for you:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# /etc/rc.d/init.d/syslog stop
|
|
|
|
# /etc/rc.d/init.d/syslog start
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
Once it's been restarted, you should see a ``file'' in <tt>/chroot/named/dev</>
|
|
|
|
called <tt/log/, that looks something like this:
|
|
|
|
|
|
|
|
<verb>srw-rw-rw- 1 root root 0 Mar 13 20:58 log</verb>
|
|
|
|
|
|
|
|
<sect2>The Other Solutions
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
If you have an older <tt/syslogd/, then you'll have to find another way to do
|
|
|
|
your logging. There are a couple programs out there, such as <tt/holelogd/,
|
|
|
|
which are designed to help by acting as a ``proxy'' and accepting log entries
|
|
|
|
from the chrooted BIND and passing them out to the regular <tt>/dev/log</>
|
|
|
|
socket.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
Alteratively, you can simply configure BIND to log to files instead of going
|
|
|
|
through syslog. See the BIND documentation for more details if you choose to go
|
|
|
|
this route.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect>Compiling BIND
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
You should be able to find the BIND source by visiting <url
|
|
|
|
url="http://www.isc.org/bind.html">. You need the <tt/bind-src.tar.gz/ package.
|
|
|
|
Be sure to get the latest version!
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Modifying Paths
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Things can get a bit confusing at this point, because different parts of the
|
|
|
|
BIND package will be referring to the same directories by different names
|
2000-06-26 18:51:19 +00:00
|
|
|
(depending on whether or not they're running inside the jail). I'll try not to
|
|
|
|
confuse you <bf/too/ much :-).
|
|
|
|
|
|
|
|
The main directory that we have to worry about here is <tt>/var/run</>, because
|
|
|
|
its contents are required for both the main <tt/named/ daemon (inside the jail),
|
|
|
|
and the <tt/ndc/ utility (on the outside). We'll start by setting everything up
|
|
|
|
to find this directory from the outside world. To do this, we need to modify
|
|
|
|
<tt>src/port/linux/Makefile.set</> (substitute your port's directory if you're
|
|
|
|
not running Linux), and change the line
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
DESTRUN=/var/run
|
|
|
|
</verb></tscreen>
|
|
|
|
to
|
|
|
|
<tscreen><verb>
|
|
|
|
DESTRUN=/chroot/named/var/run
|
|
|
|
</verb></tscreen>
|
2000-06-26 18:51:19 +00:00
|
|
|
While you're in there, you may want to change the other destination paths from
|
|
|
|
<tt>/usr</> to <tt>/usr/local</>.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
Now everything should be able to find that directory... except the <tt/named/
|
|
|
|
daemon itself, to which it's still just <tt>/var/run</> inside the jail. We can
|
|
|
|
get around this by making a small change in the <tt/named/ source. In the file
|
2000-04-26 18:26:31 +00:00
|
|
|
<tt>src/bin/named/named.h</>, find the line
|
|
|
|
<tscreen><verb>
|
|
|
|
#include "pathnames.h"
|
|
|
|
</verb></tscreen>
|
|
|
|
and add the following line immediately after it
|
|
|
|
<tscreen><verb>
|
|
|
|
#define _PATH_NDCSOCK "/var/run/ndc"
|
|
|
|
</verb></tscreen>
|
|
|
|
This way, <tt/named/ will ignore our definition of <tt/DESTRUN/ over in
|
|
|
|
<tt/Makefile.set/ and use the correct location (from its perspective in the
|
|
|
|
chroot jail). You will notice some warnings about redefinitions of
|
|
|
|
_PATH_NDCSOCK when you do the build; just ignore them.
|
|
|
|
|
|
|
|
<sect1>Doing the Build
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
You should now be able to compile BIND as normal, following the instructions in
|
|
|
|
the <tt/INSTALL/ file. At this stage, we only want to compile BIND, not install
|
|
|
|
it. Don't go too far when following the <tt/INSTALL/ file. Essentially, it's
|
|
|
|
just <tt/make clean/, <tt/make depend/, and <tt/make/.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect>Installing Your Shiny New BIND
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
I should mention that if you have an existing installation of BIND, such as from
|
|
|
|
an RPM, you should probably remove it before installing the new one. On Red Hat
|
|
|
|
systems, this probably means removing the packages <tt/bind/ and
|
|
|
|
<tt/bind-utils/, and possibly <tt/bind-devel/ and <tt/caching-nameserver/, if
|
|
|
|
you have them.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
You may want to save a copy of the init script (e.g.,
|
2000-06-26 18:51:19 +00:00
|
|
|
<tt>/etc/rc.d/init.d/named</>), if any, before doing so; it'll be useful later
|
|
|
|
on.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Installing the Tools Outside the Jail
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
This is the easy part :-). Just run <tt/make install/ and let it take care of
|
|
|
|
it for you. You may want to <tt>chmod 000 /usr/local/sbin/named</> afterwards,
|
|
|
|
to make sure you don't accidentally run the non-chrooted copy of BIND. (This
|
|
|
|
is <tt>/usr/sbin/named</> if you didn't tell it to go in <tt>/usr/local/sbin</>
|
|
|
|
like I suggested.)
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
<sect1>Installing the Binaries in the Jail
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Only two parts of the package have to live inside the chroot jail: the main
|
2000-06-26 18:51:19 +00:00
|
|
|
<tt/named/ daemon itself, and <tt/named-xfer/, which it uses for zone transfers.
|
|
|
|
You can simply copy them in from the source tree:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# cp src/bin/named/named /chroot/named/bin
|
|
|
|
|
|
|
|
# cp src/bin/named-xfer/named-xfer /chroot/named/bin
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
<sect1>Setting up the Init Script
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
If you have an existing init script from your distribution, it would probably be
|
|
|
|
best simply to modify it to run <tt>/chroot/named/bin/named</>, with the
|
|
|
|
appropriate switches. The switches are... <it/(drumroll please...)/
|
2000-04-26 18:26:31 +00:00
|
|
|
<itemize>
|
2000-06-26 18:51:19 +00:00
|
|
|
<item><tt/-u named/, which tells BIND to run as the user <tt/named/, rather than
|
|
|
|
<tt/root/.
|
2000-04-26 18:26:31 +00:00
|
|
|
<item><tt/-g named/, to run BIND under the group <tt/named/ too, rather than
|
|
|
|
<tt/root/ or <tt/wheel/.
|
|
|
|
<item><tt>-t /chroot/named</>, which tells BIND to chroot itself to the jail
|
|
|
|
that we've set up.
|
|
|
|
</itemize>
|
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
The following is the init script I use with my Red Hat 6.0 system. As you can
|
|
|
|
see, it is almost exactly the same as the way it shipped from Red Hat. I have
|
|
|
|
also modified the <tt>ndc restart</> command so that it restarts the server
|
|
|
|
properly, and keeps it chrooted. You should probably do the same in your init
|
|
|
|
script, even if you don't copy this one.
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><code>
|
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# named This shell script takes care of starting and stopping
|
|
|
|
# named (BIND DNS server).
|
|
|
|
#
|
|
|
|
# chkconfig: 345 55 45
|
|
|
|
# description: named (BIND) is a Domain Name Server (DNS) \
|
|
|
|
# that is used to resolve host names to IP addresses.
|
|
|
|
# probe: true
|
|
|
|
|
|
|
|
# Source function library.
|
|
|
|
. /etc/rc.d/init.d/functions
|
|
|
|
|
|
|
|
# Source networking configuration.
|
|
|
|
. /etc/sysconfig/network
|
|
|
|
|
|
|
|
# Check that networking is up.
|
|
|
|
[ ${NETWORKING} = "no" ] && exit 0
|
|
|
|
|
|
|
|
[ -f /chroot/named/bin/named ] || exit 0
|
|
|
|
|
|
|
|
[ -f /chroot/named/etc/named.conf ] || exit 0
|
|
|
|
|
|
|
|
# See how we were called.
|
|
|
|
case "$1" in
|
|
|
|
start)
|
|
|
|
# Start daemons.
|
|
|
|
echo -n "Starting named: "
|
|
|
|
daemon /chroot/named/bin/named -u named -g named -t /chroot/named
|
|
|
|
echo
|
|
|
|
touch /var/lock/subsys/named
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
# Stop daemons.
|
|
|
|
echo -n "Shutting down named: "
|
|
|
|
killproc named
|
|
|
|
rm -f /var/lock/subsys/named
|
|
|
|
echo
|
|
|
|
;;
|
|
|
|
status)
|
|
|
|
/usr/local/sbin/ndc status
|
|
|
|
exit $?
|
|
|
|
;;
|
|
|
|
restart)
|
2000-06-26 18:51:19 +00:00
|
|
|
/usr/local/sbin/ndc -n /chroot/named/bin/named "restart -u named -g named -t /chroot/named"
|
2000-04-26 18:26:31 +00:00
|
|
|
exit $?
|
|
|
|
;;
|
|
|
|
reload)
|
|
|
|
/usr/local/sbin/ndc reload
|
|
|
|
exit $?
|
2000-06-26 18:51:19 +00:00
|
|
|
;;
|
2000-04-26 18:26:31 +00:00
|
|
|
probe)
|
|
|
|
# named knows how to reload intelligently; we don't want linuxconf
|
|
|
|
# to offer to restart every time
|
|
|
|
/usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
|
|
|
|
exit 0
|
|
|
|
;;
|
2000-06-26 18:51:19 +00:00
|
|
|
|
2000-04-26 18:26:31 +00:00
|
|
|
*)
|
|
|
|
echo "Usage: named {start|stop|status|restart}"
|
|
|
|
exit 1
|
|
|
|
esac
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
</code></tscreen>
|
|
|
|
|
|
|
|
<sect1>Configuration Changes
|
|
|
|
|
|
|
|
<p>
|
2000-06-26 18:51:19 +00:00
|
|
|
You will also have to add or change a few options in your <tt/named.conf/ to
|
|
|
|
keep the various directories straight. In particular, you should add (or
|
|
|
|
change, if you already have them) the following directives in the <tt/options/
|
|
|
|
section:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><code>
|
|
|
|
directory "/etc/namedb";
|
|
|
|
pid-file "/var/run/named.pid";
|
|
|
|
named-xfer "/bin/named-xfer";
|
|
|
|
</code></tscreen>
|
|
|
|
Since this file is being read by the <tt/named/ daemon, all the paths are of
|
|
|
|
course relative to the chroot jail.
|
|
|
|
|
|
|
|
<sect>The End
|
|
|
|
|
|
|
|
<sect1>Launching BIND
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Everything should be set up, and you should be ready to put your new, more
|
2000-06-26 18:51:19 +00:00
|
|
|
secure BIND into action. Assuming you set up a SysV-style init script, you can
|
|
|
|
simply launch it as:
|
2000-04-26 18:26:31 +00:00
|
|
|
<tscreen><verb>
|
|
|
|
# /etc/rc.d/init.d/named start
|
|
|
|
</verb></tscreen>
|
|
|
|
Make sure you kill any old versions of BIND still running before doing this.
|
|
|
|
|
|
|
|
If you take a look at your logs, you should find the initialisation messages
|
2000-06-26 18:51:19 +00:00
|
|
|
that BIND spits out when it loads. (If not, there's a problem with your <ref
|
|
|
|
id="logging" name="logging configuration"> that you need to fix.) Amongst those
|
|
|
|
messages, BIND should tell you that it chrooted successfully, and that it is
|
2000-04-26 18:26:31 +00:00
|
|
|
running as the user and group <tt/named/. If not, you have a problem.
|
|
|
|
|
|
|
|
<sect1>That's It!
|
|
|
|
|
|
|
|
<p>
|
|
|
|
You can go take a nap now ;-).
|
|
|
|
|
|
|
|
<sect>Appendix - Document Distribution Policy<label id="legal">
|
|
|
|
|
|
|
|
<p>
|
|
|
|
Copyright © Scott Wunsch, 2000. This document may be distributed only
|
2000-06-26 18:51:19 +00:00
|
|
|
subject to the terms set forth in the LDP licence at <url
|
|
|
|
url="http://metalab.unc.edu/LDP/COPYRIGHT.html">.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
2000-06-26 18:51:19 +00:00
|
|
|
This HOWTO is free documentation; you can redistribute it and/or modify it under
|
|
|
|
the terms of the LDP licence. It is distributed in the hope that it will be
|
2000-04-26 18:26:31 +00:00
|
|
|
useful, but <bf/without any warranty/; without even the impled warranty of
|
2000-06-26 18:51:19 +00:00
|
|
|
merchantability or fitness for a particular purpose. See the LDP licence for
|
|
|
|
more details.
|
2000-04-26 18:26:31 +00:00
|
|
|
|
|
|
|
</article>
|