[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SV: Runing Bind under User Bind



>> Your user bind would write a file in /var/run, but it's not allowed.
> 
> I ran BIND this way, I seem to recall chown'ing that pid file once
> and never having a problem with it again for the lifetime of the box.

I hope I don't get heaps of flames for posting this micro-howto, but I hope
it helps.

< -- BEGIN -- >

# this is a micro-howto -- installing bind with chroot (Debian Potato)

# revision 2 - Mon,  8 Apr 2002 09:10:38 -0300

# Copyright (C) 2002 Pedro Zorzenon Neto <pzn at debian dot org>
#
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 1.1
#
# You can find the license at http://www.fsf.org/licenses/fdl.html
#
# there is ABSOLUTELY NO WARRANTY about this document. I am not responsible
# for any damage it could lead to. Read it and use it at your own risk.

# This document was based on Chroot-BIND8 Howto by Scott Wunsch
# you can find it at http://www.linuxdoc.org/HOWTO/Chroot-BIND8-HOWTO.html

# software versions related to this document:
#  cat /etc/debian_version  ->  2.2
#  chroot --version    ->  chroot (GNU sh-utils) 2.0
#  named -v            ->  named 8.2.3-REL-NOESW Sat Jan 27 01:46:37 MST
2001

#
---------------------------------------------------------------------------

# install and configure bind as you would without chroot. I will assume from
# now on that you have a configured and working bind instalation.

# it is a good idea to backup your bind configuration now.

# add the 'named' user that bind will run as
adduser --system --group --no-create-home named

# create the directory that bind will run chrooted.
# "/chroot/named" was used in this example
mkdir /chroot
mkdir /chroot/named

# now, create the directory structure that bind will use
cd /chroot/named
mkdir dev
mkdir etc
mkdir lib
mkdir usr
mkdir usr/sbin
mkdir var
mkdir var/run
mkdir var/cache
mkdir var/cache/bind
chown -R named.named var    #bind needs permission to write to 'var'

# if your nameserver is "secondary" or "cache" for some domains, then
# give write permission to etc/bind/zone-files so it can write the
# tranfered zones...
#
# chown named.named etc/bind/some-file
# chmod u+rw /etc/bind/some-file

# create dev/null
# check the node numbers with the following command and use them below
# my system had the numbers 1 3 ...
#    egrep 'makedev\ +null' /dev/MAKEDEV
mknod dev/null c 1 3
chmod ugo+rw dev/null   #dev/null needs to be writeable

# copy time related files, so bind will know the timezone
cp /etc/localtime etc

#copy named entry in group file
egrep '^named:' /etc/group > etc/group

# enable bind logging in syslog
# edit /etc/init.d/sysklogd and find a line with SYSLOGD="", change it to
# SYSLOGD="-a /chroot/named/dev/log"
# restart syslogd
/etc/init.d/sysklogd restart

# check libraries used and copy to 'lib'
# check them with "ldd /usr/sbin/named" and "ldd /usr/sbin/named-xfer"
cp /lib/libc.so.6 lib
cp /lib/ld-linux.so.2 lib

#copy executables to 'usr/sbin'
cp /usr/sbin/named usr/sbin/
cp /usr/sbin/named-xfer usr/sbin
	
# move config files to chroot jail (you can use 'cp' instead of 'mv')
mv /etc/bind /chroot/named/etc/
# you can also create a link to the new place
ln -s /chroot/named/etc/bind /etc/bind

# stop bind
/etc/init.d/bind stop

# edit /etc/init.d/bind
# to the line:
#   start-stop-daemon --start --quiet --exec /usr/sbin/named
# append the following:
#   -- -u named -g named -t /chroot/named/
# to the line starting with: start-stop-daemon --stop
# change "/var/run/named.pid" to "/chroot/named/var/run/named.pid"

# now start bind chrooted
/etc/init.d/bind start

# view the log and check if it was started chrooted
grep "named" /var/log/syslog | tail -n 100 | less

# check if your bind is working and if it is... have fun :-)

# now, take a minute and write me an e-mail with your opinion
# about this document. :-)

# TODO/BUGS:
# - rewrite "restart/reload/force-reload" options in /etc/init.d/bind


< -- END -- >




Reply to: