[Dshield] bind chroot 'script'

Johannes Ullrich jullrich at euclidian.com
Thu Nov 14 14:32:29 GMT 2002


ok. here a little script to run 'named' in a chroot jail. I keep
this around for RedHat 7.3 machines, but it should work more or
less on most Linux machines.

The 'jail' will be in /var/named, as this is the place RedHat likes
to keep named related stuff.
 
don't take the term 'script' to litteral. Execute one line at a time
and check for errors...

(as root):

cd /var/named
mkdir dev
mkdir etc
mkdir -p var/log
chown named:named var/log
mkdir var/named
chown named:named var/named
mkdir var/run
chown named:named var/run


cd dev
mknod -m 666 null c 1 3
mknod -m 644 random c 1 8

cd ../lib
cp /lib/ld-linux.so.2 .
cp /lib/libc.so.6 .
( the exact libraries you need may varie. For a complete list, run
  'ldd /usr/sbin/named'. Some libraries may need to go into usr/lib,
   not lib )

move all files from /var/named (like named.root, named.local and such) to
/var/named/var/named

mv /etc/named.conf /var/named/etc/named.conf
also move any key files you may have in /etc

now, give it a try by starting named with
named -u named -t /var/named

if it fails check /var/log/messages

next, change the startup config file /etc/sysconfig/named
add the line
ROOTDIR="/var/named"

Further details, and a great secure template for named.conf can be
found at http://www.cymru.com/Documents/secure-bind-template.html
it also includes a number of good links.
 


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021114/4867f67d/attachment.bin


More information about the list mailing list