Note: I recommend upgrading to the latest BIND 9 release to take advantage of BIND 9's security features and security-focused code rewrite.
Thanks to Sean Boran for his "Installing
BIND v8 chroot'ed on Solaris 7." Much of the information on this
page was obtained from his installation guide.
In this BIND chroot jail example on a Solaris 7 server,
the named daemon is executed as the named
user (UID 53, GID 53). The chroot jail is the /home/dns directory. This document
assumes BIND is already installed with binaries in /usr/local, configuration files
in /usr/local/etc, and DNS
data in /var/dns.
If you already have a BIND chroot jail configured, and
want to upgrade to a new version of BIND, perform the following commands
after running make install.
These steps assume you installed BIND to the standard /usr/local directory tree.
for i in `ldd /usr/local/sbin/named
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/dns/usr/lib
done
cd /home/dns/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -
cd
/home/dns/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery
dig host nslookup nsupdate) | tar xvf -
Restart BIND to enable the new version.
To create a BIND chroot jail from scratch, perform the
following steps:
1. Create named
user and chroot jail.
groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s
/bin/false named
mkdir -m 750 /home/named
cd /home/named
mkdir -p dev opt usr var etc var/run var/log var/dns usr/local
usr/lib usr/share/lib/zoneinfo
cp /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf
/etc/TIMEZONE etc
2. Copy libraries into chroot jail.
for i in `ldd /usr/local/sbin/named
/usr/local/sbin/named-xfer | awk '{print $3}'`
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/named/usr/lib
done
cp /usr/lib/ld.so.1 /home/named/usr/lib
3. Create device files in the chrooted environment.
cd /home/named/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog
4. Copy the timezone information into the chroot jail. Otherwise, BIND
will use a GMT timestamp when sending messages to syslog. In this
example, the TIMEZONE is US/Central.
cd /home/named
mkdir -p usr/share/lib/zoneinfo/US
cp -p
/usr/share/lib/zoneinfo/US/Central usr/share/lib/zoneinfo/US
5. Copy BIND to chroot jail and set appropriate
permissions.
cd /home/named
mkdir -p usr/local/bin usr/local/lib usr/local/sbin usr/local/bind
usr/local/etc
chmod 755 usr/local/bin usr/local/lib usr/local/sbin usr/local/bind
usr/local/etc
cd /home/named/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -
cd /home/named/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery dig
host nslookup nsupdate) | tar xvf -
cd /home/named/usr/local
cp /usr/local/etc/named.conf etc
(cd /usr/local; tar cf - bind) | tar xvf -
chown -R root:named *
chmod 775 etc
cd /home/named/var/
(cd /var/dns; tar cf - *) | tar xvf -
cd /home/named
chown -R root:named opt var
chmod -R g-w var
chmod -R o-rx .
chmod g+w var/run var/log
touch var/log/all.log var/run/named.pid
chown named:named var/log/all.log var/run/named.pid
find . -type f | xargs chmod ug-s
6. Start BIND.
/usr/local/sbin/named -u 53 -g 53 -t /home/named
Make sure to modify your BIND startup/shutdown script to execute
BIND as a non-privileged user within the chroot jail. Compare your copy
to the following /etc/init.d/named
script.
#!/bin/sh
case $1 in
'start' )
/usr/local/sbin/named -u 53 -g 53 -t /home/named
;;
'stop' )
kill `ps -ef | grep named | grep -v grep | awk '{print
$2}'` > /dev/null 2>&1
;;
*)
echo "usage: $0 {start|stop}"
esac
Back to brandonhutchinson.com.