SV: Runing Bind under User Bind
>> Your user bind would write a file in /var/run, but it's not allowed.
>
> I ran BIND this way, I seem to recall chown'ing that pid file once
> and never having a problem with it again for the lifetime of the box.
I hope I don't get heaps of flames for posting this micro-howto, but I hope
it helps.
< -- BEGIN -- >
# this is a micro-howto -- installing bind with chroot (Debian Potato)
# revision 2 - Mon, 8 Apr 2002 09:10:38 -0300
# Copyright (C) 2002 Pedro Zorzenon Neto <pzn at debian dot org>
#
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 1.1
#
# You can find the license at http://www.fsf.org/licenses/fdl.html
#
# there is ABSOLUTELY NO WARRANTY about this document. I am not responsible
# for any damage it could lead to. Read it and use it at your own risk.
# This document was based on Chroot-BIND8 Howto by Scott Wunsch
# you can find it at http://www.linuxdoc.org/HOWTO/Chroot-BIND8-HOWTO.html
# software versions related to this document:
# cat /etc/debian_version -> 2.2
# chroot --version -> chroot (GNU sh-utils) 2.0
# named -v -> named 8.2.3-REL-NOESW Sat Jan 27 01:46:37 MST
2001
#
---------------------------------------------------------------------------
# install and configure bind as you would without chroot. I will assume from
# now on that you have a configured and working bind instalation.
# it is a good idea to backup your bind configuration now.
# add the 'named' user that bind will run as
adduser --system --group --no-create-home named
# create the directory that bind will run chrooted.
# "/chroot/named" was used in this example
mkdir /chroot
mkdir /chroot/named
# now, create the directory structure that bind will use
cd /chroot/named
mkdir dev
mkdir etc
mkdir lib
mkdir usr
mkdir usr/sbin
mkdir var
mkdir var/run
mkdir var/cache
mkdir var/cache/bind
chown -R named.named var #bind needs permission to write to 'var'
# if your nameserver is "secondary" or "cache" for some domains, then
# give write permission to etc/bind/zone-files so it can write the
# tranfered zones...
#
# chown named.named etc/bind/some-file
# chmod u+rw /etc/bind/some-file
# create dev/null
# check the node numbers with the following command and use them below
# my system had the numbers 1 3 ...
# egrep 'makedev\ +null' /dev/MAKEDEV
mknod dev/null c 1 3
chmod ugo+rw dev/null #dev/null needs to be writeable
# copy time related files, so bind will know the timezone
cp /etc/localtime etc
#copy named entry in group file
egrep '^named:' /etc/group > etc/group
# enable bind logging in syslog
# edit /etc/init.d/sysklogd and find a line with SYSLOGD="", change it to
# SYSLOGD="-a /chroot/named/dev/log"
# restart syslogd
/etc/init.d/sysklogd restart
# check libraries used and copy to 'lib'
# check them with "ldd /usr/sbin/named" and "ldd /usr/sbin/named-xfer"
cp /lib/libc.so.6 lib
cp /lib/ld-linux.so.2 lib
#copy executables to 'usr/sbin'
cp /usr/sbin/named usr/sbin/
cp /usr/sbin/named-xfer usr/sbin
# move config files to chroot jail (you can use 'cp' instead of 'mv')
mv /etc/bind /chroot/named/etc/
# you can also create a link to the new place
ln -s /chroot/named/etc/bind /etc/bind
# stop bind
/etc/init.d/bind stop
# edit /etc/init.d/bind
# to the line:
# start-stop-daemon --start --quiet --exec /usr/sbin/named
# append the following:
# -- -u named -g named -t /chroot/named/
# to the line starting with: start-stop-daemon --stop
# change "/var/run/named.pid" to "/chroot/named/var/run/named.pid"
# now start bind chrooted
/etc/init.d/bind start
# view the log and check if it was started chrooted
grep "named" /var/log/syslog | tail -n 100 | less
# check if your bind is working and if it is... have fun :-)
# now, take a minute and write me an e-mail with your opinion
# about this document. :-)
# TODO/BUGS:
# - rewrite "restart/reload/force-reload" options in /etc/init.d/bind
< -- END -- >
Reply to: