Re: chroot bind9 Issue

To: debian-security@lists.debian.org
Subject: Re: chroot bind9 Issue
From: "Felipe Augusto van de Wiel (faw)" <felipe@cathedrallabs.org>
Date: Tue, 07 Sep 2004 13:03:05 -0300
Message-id: <[🔎] 413DDBB9.70200@cathedrallabs.org>
References: <[🔎] 20040907092248.69247.qmail@web51708.mail.yahoo.com>

Hi,

saravanan ganapathy wrote:
::   I am new for this list. I alreay posted my
:: issue in debian-user. But I didn't get any
:: help.So please help me.

	There are other lists then debian-security
and debian-user that can help you. I'm answering
the off-topic to give you some time until you find
a nice //support// list. :o)


:: I would like to configure bind9 with chroot on my
:: debian woody. I have referred lot of links and based
:: on that I have did the configuration. It works fine
:: except some issues, when I stop bind9, I am getting
:: the following error

:: Stopping domain name service: namedrndc: neither
:: /etc/bind/rndc.conf nor /etc/bind/rndc.key was found

	The problem is related with the rndc.key. In your
case it cannot be found. :) The keys is missing. So, you
have to option, copy the key from /etc/bind inside your
"chroot" or create a new key. Use rndc-confgen to generate
a new key (read the man page first).

	If you copy your key then change the owner of your
key to the same user that bind is using.


:: # addgroup named
:: # adduser --system --home /home/named --no-create-home
:: --ingroup named \
::            --disabled-password --disabled-login named

	Good. Non privileged user, but I will recommend
you to set the home dir to the "named chroot jail".


:: # mkdir /var/named

	It is a good idea to use a subdir inside /var/named,
something like /var/name/cage/


:: # cd /var/named
:: # mkdir -p dev etc lib usr/sbin var/named var/run
::       var/cache/bind
:: # mv /etc/bind etc/
:: # mknod dev/null c 1 3
:: # mknod dev/random c 1 8
:: # chmod 666 dev/null dev/random
:: # chown -R named.named named

:: Edited /etc/init.d/sysklogd to include  SYSLOGD="-a
:: /var/named/dev/log"

:: Edited /etc/init.d/bind9 to include OPTS="-u named -t
:: /var/named"

:: # /etc/init.d/sysklogd restart
:: # /etc/init.d/bind9 start

	I didn't saw you create your new config files.
You should copy /etc/bind/* inside your chroot/etc/bind
And I also didn't saw you change directory permissions,
as bind is not running with user privileges "he" must
need privs to write inside logs and 'run', if it is a
slave also inside etc/bind.


:: bind is started well without any error. I have also
:: verified from the syslog file.

	Weird.


:: But while stopping, the 'rndc' still refers the
:: non-chroot path (/etc/bind/named.conf).

:: If I do
::  # cp /var/named/etc/bind/rndc.key /etc/bind/rndc.key
:: Then the bind stops without any error.
:: Can you please help me to solve this problem?

	The key is missing, but when you use -t and -u
options in the init.d script, it should be "chrooted"
and checked only the chrrot dir. Something is broken.
:) Good luck.


--
//////////
// Felipe Augusto van de Wiel (faw)
// felipe@cathedrallabs.org
// http://www.cathedrallabs.org
/////
// GUD-PR / DUG-PR || http://www.debian-pr.org
// GUD-BR / DUG-BR || http://www.debian-br.org
// Debian Project  || http://www.debian.org/
//////////

Reply to:

References:
- chroot bind9 Issue
  - From: saravanan ganapathy <sarav_gsa@yahoo.com>

Prev by Date: Re: Kernal Settings
Next by Date: subscribe
Previous by thread: chroot bind9 Issue
Next by thread: Kernal Settings
Index(es):
- Date
- Thread