Date: Tue, 26 Oct 1999 05:35:13 -0400 (EDT) From: Kyle Amon <amonk@gnutec.com> To: crowland@psionic.com Subject: chroot'ing named Message-ID: <Pine.LNX.3.96.991026051904.19383B-200000@labyrinth.sec.gnutec.com>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Craig,
Here is some more fodder for your 'Securing DNS' page. Attached is a
small script that performs the major steps to chroot'ing named under
FreeBSD. Assuming the user isn't completely ignorant on the matter, it
pretty much handles everything needed. I wrote it recently when setting
up four new nameservers for an ISP and wanted them to all be consistently
secure. Anyway it sure made my life easier. :-) Pass it around as you
like.
Also, FYI, in Step 5, number 2) of your Securing DNS (OpenBSD/FreeBSD
Version) page, it says that as of BIND 8.2.x one no longer need to edit
the ndc script. While this is true, you might want to mention that in
order to have the new ndc binary work in a chrooted environment, one needs
to change the path to the ndc socket so that it points to the correct
location in the jail and recompile ndc or it still won't work. This
script takes care of that as well.
One more thing. This script presumes the use of (something like)
dump-file "/var/tmp/named_dump.db";"
in the global options section of named.conf in order to make the SIGFOOs
work as expected.
Later,
Kyle
Kyle Amon email: amonk@gnutec.com
url: http://www.gnutec.com/~amonk
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A 4B BC B5 B4 12 F0 D3 1A
"If it is true that users would rather spend money and get a product
with service, they will also be willing to buy the service having got
the product free. The service companies will compete in quality and
price; users will not be tied to any particular one. Meanwhile, those
of us who don't need the service should be able to use the program
without paying for the service."
- Richard Stallman
The GNU Manifesto, 1985
Petition to Microsoft Corporation for Open Source Consumer Windows!
http://www.linuxresources.com/linuxreview/petition.html
[-- Attachment #2 --]
#!/bin/sh
#
# Kyle Amon
# GNUTEC Information Technology Solutions
# http://www.gnutec.com/
# amonk@gnutec.com
# 203-668-UNIX
#
# Automate the steps necessary to set up BIND in a chroot(2) jail on
# FreeBSD 3.3 systems.
#
# What the hell, a little sanity
#
if [ "`uname -sr`" != "FreeBSD 3.3-RELEASE" ] ; then
echo "Whoa! This script was written for FreeBSD 3.3 and your system"
echo "appears to be `uname -sr`. Before running it, make sure"
echo "it will behave as expected on your system or you may be sorry."
echo "Just edit the script as needed. Improve it if you like."
exit 1
fi
#
# Make static binaries
#
cd /usr/ports/net/bind8
make install
rm work/src/bin/named/named
rm work/src/bin/named-xfer/named-xfer
rm work/src/bin/ndc/ndc
rm work/src/bin/ndc/ndc.o
sed 's/CDEBUG=-O2/CDEBUG=-O2 -static/g' work/src/.settings > /tmp/.settings.tmp
mv /tmp/.settings.tmp work/src/.settings
sed 's/\/var\/run\/ndc/\/etc\/namedb\/var\/run\/ndc/g' work/src/bin/ndc/pathnames.h > /tmp/pathnames.h.temp
mv /tmp/pathnames.h.temp work/src/bin/ndc/pathnames.h
cd work/src
make
#
# Create chroot jail
#
chmod 2750 /etc/namedb
mkdir -m 2750 /etc/namedb/dev
mkdir -m 2750 /etc/namedb/etc
mkdir -m 2750 -p /etc/namedb/usr/local/libexec
mkdir -m 2770 -p /etc/namedb/var/run
mkdir -m 2770 /etc/namedb/var/log
mkdir -m 2770 /etc/namedb/var/tmp
mkdir -m 2750 /etc/namedb/pz
mkdir -m 2770 /etc/namedb/sz
mkdir -m 2770 /etc/namedb/stubz
chmod 2750 /etc/namedb/usr
chmod 2750 /etc/namedb/usr/local
chmod 2750 /etc/namedb/var
chown -R root.bind /etc/namedb
#
# Copy staticly linked binaries into chroot jail
#
cd /usr/ports/net/bind8
cp work/src/bin/named/named /etc/namedb
cp work/src/bin/named-xfer/named-xfer /etc/namedb/usr/local/libexec
cp work/src/bin/ndc/ndc /usr/local/sbin/ndc
#
# Copy/create remaining files necessary for the chroot jail
#
cp /etc/localtime /etc/namedb/etc
mknod /etc/namedb/dev/null c 2 2 ; chmod 666 /etc/namedb/dev/null
#
# Massage initialization files into shape
#
rc=/etc/rc.conf
echo "" >> $rc
echo "# -- generated with chroot-bind for FreeBSD -- #" >> $rc
echo "# -- by Kyle Amon -- #" >> $rc
echo "# -- GNUTEC Information Technology Solutions -- #" >> $rc
echo "# -- http://www.gnutec.com/ -- #" >> $rc
echo "# -- amonk@gnutec.com -- #" >> $rc
echo "# -- 203-668-UNIX -- #" >> $rc
echo 'named_enable="YES"' >> $rc
echo 'named_program="/etc/namedb/named"' >> $rc
echo 'named_flags="-t /etc/namedb -u bind -g bind named.conf"' >> $rc
echo 'syslogd_flags="-ss -l /etc/namedb/dev/log"' >> $rc
echo "" >> $rc
#
# Disable original named
#
chmod 000 /usr/sbin/named
chmod 000 /usr/local/sbin/named
chmod 000 /usr/sbin/ndc
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.991026051904.19383B-200000>