[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind9-chroot (was: questions on ITP)



also sprach Marco d'Itri (on Sun, 23 Sep 2001 11:47:33AM +0200):
> There are no packaging changes needed.
> To chroot bind you just have to fix $OPTS in /etc/init.d/bind9 and
> create the two mount binds I described earlier.

marco is right, following his advice, i just chrooted my bind in the
most easiest fashion possible. i have always done it way too
complicated for i did not know about the mount --bind option. sure,
this only works with 2.4.x, but if any chroot changes to bind9 are
going public, then this will be bundled with a 2.4.x kernel-image,
right? will testing be 2.4.x?

i am going to summarize the steps i took to chroot bind9:

CHROOTDIR=/var/lib/bind
# here i have to say that init.d/bind9 lists /var/lib/named, but since
# Debian uses /etc/bind instead of the more common /etc/namedb, i
# suggest going all the way.

# also, init.d/bind9 suggests running as nobody. i find it better to
# have a dedicated user for reasons like protecting reading of
# rndc.conf and others.

# lastly, i suggest making a directory /var/log/bind to place all
# logfiles into, and amending named.conf

this is what debconf should do, if the users wants a chroot:

1) add a user "bind" with homedir $CHROOTDIR and /bin/false shell,
   member of group 'nogroup'

2) mkdir /var/log/bind
   chown -R bind.adm /var/log/bind
   chmod 2750 /var/log/bind

3) mkdir -p $CHROOTDIR/{var/{log/bind,run},etc/bind}
   chown -R bind.nogroup $CHROOTDIR
   chmod -R 2700 $CHROOTDIR

4) change $OPTS in init.d/bind9 to
     "-u bind -t $CHROOTDIR"

and this is what init.d/bind9 should do at every start, if chrooted

5) function bind_mount() {
     mount | grep -q $2 && return 1
     mount --bind $1 $2
     return $?
   }
   
   bind_mount /etc/bind $CHROOTDIR/etc/bind
   bind_mount /var/log/bind $CHROOTDIR/var/log/bind

and this is what init.d/bind9 should do at every stop, if chrooted

6) function bind_unmount() {
     echo "" > /dev/null
     while [ $? = 0 ]; do umount $1 &> /dev/null; done
   }
   
   bind_unmount $CHROOTDIR/etc/bind
   bind_unmount $CHROOTDIR/var/log/bind



now, thanks to marco's ingenious hint, you have a chrooted bind, which
won't interfere with tripwire, which does not store anything
changeable on /var/lib, which happily logs

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
-- 
#define emacs eight megabytes and constantly swapping.

Attachment: pgpKnCY5vwk2O.pgp
Description: PGP signature


Reply to: