[Dshield] bind chroot 'script'

Andre Costa brblueser at uol.com.br
Fri Nov 15 02:18:50 GMT 2002


Hi Johannes,

thank you very much for this script, it will surely be helpful. After
reading your first msg, I found out there is a "Chroot-BIND HOWTO",
which probably teaches how to get to this script.

Best,

Andre

On Thu, 14 Nov 2002 09:32:29 -0500
Johannes Ullrich <jullrich at euclidian.com> wrote:

> 
> ok. here a little script to run 'named' in a chroot jail. I keep
> this around for RedHat 7.3 machines, but it should work more or
> less on most Linux machines.
> 
> The 'jail' will be in /var/named, as this is the place RedHat likes
> to keep named related stuff.
>  
> don't take the term 'script' to litteral. Execute one line at a time
> and check for errors...
> 
> (as root):
> 
> cd /var/named
> mkdir dev
> mkdir etc
> mkdir -p var/log
> chown named:named var/log
> mkdir var/named
> chown named:named var/named
> mkdir var/run
> chown named:named var/run
> 
> 
> cd dev
> mknod -m 666 null c 1 3
> mknod -m 644 random c 1 8
> 
> cd ../lib
> cp /lib/ld-linux.so.2 .
> cp /lib/libc.so.6 .
> ( the exact libraries you need may varie. For a complete list, run
>   'ldd /usr/sbin/named'. Some libraries may need to go into usr/lib,
>    not lib )
> 
> move all files from /var/named (like named.root, named.local and such)
> to/var/named/var/named
> 
> mv /etc/named.conf /var/named/etc/named.conf
> also move any key files you may have in /etc
> 
> now, give it a try by starting named with
> named -u named -t /var/named
> 
> if it fails check /var/log/messages
> 
> next, change the startup config file /etc/sysconfig/named
> add the line
> ROOTDIR="/var/named"
> 
> Further details, and a great secure template for named.conf can be
> found at http://www.cymru.com/Documents/secure-bind-template.html
> it also includes a number of good links.
>  
> 
> 
> -- 
> --------------------------------------------------------------------
> jullrich at euclidian.com             Collaborative Intrusion Detection
>                                          join http://www.dshield.org
> 


-- 
Andre Oliveira da Costa




More information about the list mailing list