Chroot bind 9.3.0 in slackware 10 - noobie
just set-up my own domain server, and I want to run bind with a non-root user.
anyone have any instructions or explanations on how to do this? I read a bunch of documentation on how to chroot bind 9, I can apply most of the commands to execute, but there are some difference which I can't apply to slackware 10. a how-to I followed: hxxp://mirrors.evrocom.net/slackware/slackware-8.0/docs/Linux-HOWTO/Chroot-BIND-HOWTO - I got stuck in the 2.5.1 (syslog) part, when I went to the /chroot/named/dev, I got "log=" instead of "log", and it wasn't logging anything (i would stop named, and re-run named) - I also got stuck in the 3.1 part about "modifying paths". There was no "src/port/linux/Makefile.set" in my distro, I also went to "/usr/src/linux/makefile" to check if maybe that was the file to modify, but I didn't see "DESTRUN=/var/run" or the like anywhere So in actuality I couldn't proceed further than 2.5.1 and beyond because of the major differences in content between the instructions and my distro. I'm guessing the doc isn't up to date. Any help is appreciated |
The easiest way is to use bind's built-in chroot features. I'm not sure when it was added, but it is present in BIND 9.2.3. You do that by adding the "-t" & "-u" options when you start it. On Slackware, you'd just need to modify the startup script at /etc/rc.d/rc.bind. At the top, change the start_bind function to something like this:
Code:
bind_start() { There is also some additional steps you'll need to take to set it all up. First, create the user and group: Code:
groupadd named Code:
mkdir -p /chroot/named/{dev,etc,var} Code:
mknod /chroot/named/dev/null c 1 3 Code:
cp /etc/localtime /chroot/named/etc Code:
mkdir -p /chroot/named/var/{log,named,run} Code:
cp /var/named/* /chroot/named/var/named Code:
-rw-r--r-- 1 named named 188 Dec 2 2003 0.0.127.in-addr.arpa.zone About the log issue. What I do is have bind keep it's own log, separate from syslogd. You can do that by adding something like this to your named.conf: Code:
// Logging options Code:
root@gateway:~# ls -l /proc/`pidof named`/root |
The manual I'm refering to is called the BIND 9 Administrator Reference Manual and it's distributed with bind in html format. You can find it on Slackware 10 at /usr/doc/bind-9.2.3/arm. Multiple versions of it are available online in html format at http://www.bind9.net/manuals. The PDF version use to be on the developer's website at http://www.isc.org/index.pl?/sw/bind/ but I don't see it there now. You can find at various places online though.
|
omg thank you for the detailed explanation and instruction. I seriously appreciate your help.
I can't seem to get it running after i've gong through your instructions. i have a question: When you tell me to edit the named.conf file in this tutorial, which named.conf do you want me to edit, the once in the chroot dir or the "out from" the chroot dir? I edited both and it still doesn't work. I did a ./rc.bind start, then I did a ./rc.bind stop and it gives me this message: "named: no prcess killed" ---EDIT--- named works, when i just run it normally without the switches in the rc.bind file also when i run /usr/local/sbin/named -t /chroot/named/, it works but when i use the -u named switch, it doesn't work maybe it's a permission thing? ---EDIT--- ok, I changed the ownership of all the contents in /chroot/named/ to "named" and now the full command "/usr/local/sbin/named -t /chroot/named/ -u named"works. Is this OK? |
---EDIT---
Now another problem arises: I can't get that logging thing to work. I copied it exactly as you typed it out on both named.conf files, and now named won't run. |
Ok, make sure you didn't already have a "logging" section in your named.conf file, and now have 2. Also make sure there isn't a typo somewhere, like a missing brace, semi-colon, and etc. And check the logs for any errors, namely /var/log/messages, to see if you can identify the problem. If that's no help, try tracing it with strace. Otherwise, edit out anything revealing like your IPs, rndc key, and etc and post your named.conf.
Also, when running bind in this manner, you will not need the /etc/named.conf file at all anymore. You'd instead need /chroot/named/etc/named.conf which to bind is /etc/named.conf since the only files bind can see or access are those located within the chroot jail. In other words, named will switch to the chroot jail and to user "named" prior to accessing named.conf. However, until you get all the kinks worked out, I'd leave the default "known-working" setup intact as-is and only edit files within the chroot jail if needed. As far as permissions go, probably the easiest way for me to show you what works for me, is to simply list them as they are on my system, so here goes: Code:
root@gateway:/chroot# ls -l Code:
root@gateway:/chroot/named# ls -lR |
Yeah I made a typo. haha. Thanks for the help again, I appreciate it. It all works now.
Is it a security risk to change owner for /chroot/named to "named"? cuz that's what i did. EDIT-- fixed typo |
Well technically, I'd say yes. Keep in mind that I'm not, nor do I claim to be, a security specialist, but there are several in this forum. But yeah, as a general rule from a security standpoint, you only want to allow whatever access is required to complete the task. In this case, bind needs only read access to most of it and write access only to the directories where it will create it's logs, pid file and etc. Additionally, you could get really paranoid and set the immutable bit on your zone files and named.conf. ie:
Code:
chattr +i /chroot/named/etc/named.conf |
Ok I understand. Thanks for your help again.
|
All times are GMT -5. The time now is 07:35 PM. |