Subject: Re: BIND and chroot
To: None <port-mac68k@netbsd.org>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: port-mac68k
Date: 07/10/2000 00:35:13
--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
It's a bit after the fact, but I had no trouble producing
statically-linked binaries on macppc. I think it may have been an
oddity of the architecture though, as my notes don't show how I did it
(smooth, eh?), nor was I ever able to build a statically-linked BIND
on Solaris through any contortions of CFLAGS.
I've included my notes below. Note that the web site I reference no
longer exists (sigh), but that securityfocus.com recently ran an
article about chroot'ing BIND on Solaris. Between that, the Linux
page Joe mentions, and each of our notes, you should have no trouble.
Also, BIND couldn't give two shits about a $CHROOT-DIR/var/log, as I
later learned, just those referenced in named.conf's logging{}
section (my notes are confusing on this point).
~ g r @ eclipsed.net
--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=bind-19991119
working from http://www.403-security.org/SecurityTexts/securing.open_freebsd.dns.html
Got the source from ftp.isc.org/isc/bind/src/8.2.2-P5
(comes in several pieces, mainly you want -src.tar.gz, though -doc
isn't a bad idea... don't think there's much useful in -contrib in
this context)
uriel:bind-8.2.2-p5/src% make clean [5]
...
uriel:bind-8.2.2-p5/src% make depend [7]
...
uriel:bind-8.2.2-p5/src% make all [8]
...
added group:
named:*:14:
added user:
named:*:14:14::0:0:named chroot user:/chroot/named:/sbin/nologin
added directory:
uriel:/# mkdir chroot [3]
uriel:/# chmod 755 chroot [5]
uriel:/chroot# umask [15]
077
uriel:/chroot# umask 022 [16]
uriel:/chroot# mkdir named [17]
uriel:/chroot# cd named/ [19]
uriel:/chroot/named# mkdir dev [20]
uriel:/chroot/named# mkdir etc [21]
uriel:/chroot/named# mkdir etc/namedb [22]
uriel:/chroot/named# mkdir usr [23]
uriel:/chroot/named# mkdir usr/libexec [24]
uriel:/chroot/named# mkdir var [25]
uriel:/chroot/named# mkdir var/run [26]
uriel:named/etc# cp /etc/localtime ./ [33]
uriel:named/etc# file localtime [35]
localtime: timezone data
uriel:named/etc# rm -rf namedb [40]
uriel:named/etc# cp -r /etc/namedb ./ [41]
uriel:named/etc# ln -s namedb/named.conf ./named.conf [48]
uriel:named/etc# cd .. [51]
uriel:/chroot/named# cd dev [52]
uriel:named/dev# mknod null c 2 2; chmod 666 null [54]
uriel:named/dev# ll [55]
total 4
drwxr-xr-x 2 root wheel 512 Nov 19 12:52 ./
drwxr-xr-x 6 root wheel 512 Nov 19 12:42 ../
crw-rw-rw- 1 root wheel 2, 2 Nov 19 12:52 null
uriel:named/dev# ll /dev/null [56]
crw-rw-rw- 1 root wheel 2, 2 Nov 19 12:29 /dev/null
uriel:named/dev# touch console [59]
uriel:named/dev# chown named:named console [61]
uriel:named/dev# cd .. [63]
uriel:/chroot/named# cd var [64]
uriel:named/var# mkdir log [65]
[not entirely sure this is necessary, but it may be - syslog isn't chrooted,
so logs should still end up in the real /var/log, but there's some suggestion that named will bitch if it doesn't see the "custom logging directories" that
are "define" - no mention of where]
uriel:/chroot/named# chgrp -R named etc/namedb/ [75]
uriel:/chroot/named# chmod -R g+w etc/namedb/ [76]
uriel:/chroot/named# ll etc/ [77]
total 10
drwxr-xr-x 3 root wheel 512 Nov 19 12:46 ./
drwxr-xr-x 6 root wheel 512 Nov 19 12:42 ../
-r--r--r-- 1 root wheel 1250 Nov 19 12:43 localtime
lrwxr-xr-x 1 root wheel 17 Nov 19 12:46 named.conf@ -> namedb/named.conf
drwxrwxr-x 3 root named 512 Nov 19 12:44 namedb/
uriel:/chroot/named# ll etc/namedb/ [78]
total 28
drwxrwxr-x 3 root named 512 Nov 19 12:44 ./
drwxr-xr-x 3 root wheel 512 Nov 19 12:46 ../
-r--rw-r-- 1 root named 233 Nov 19 12:44 127
-r---w---- 1 root named 250 Nov 19 12:44 127.orig
drwxrwx--- 2 root named 512 Nov 19 12:44 RCS/
-rw-rw-r-- 1 root named 646 Nov 19 12:44 dualism.org
-r--rw-r-- 1 root named 999 Nov 19 12:44 eclipsed.net
-r--rw-r-- 1 root named 1115 Nov 19 12:44 named.conf
-r---w---- 1 root named 789 Nov 19 12:44 named.conf.orig
-rw-rw-r-- 1 root named 865 Nov 19 12:44 ophelan.com
-rw-rw-r-- 1 root named 2831 Nov 19 12:44 root.cache
[need to clean this up by hand on account of RCS - don't want the named group
to be able to write to these files, as they should *never* come in via
named-xfer on uriel]
uriel:/chroot/named# cp ~gr/src/bind-8.2.2-p5/src/bin/named/named ./ [98]
uriel:/chroot/named# file named [99]
named: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1, statically linked, not stripped
uriel:/chroot/named# cp ~gr/src/bind-8.2.2-p5/src/bin/named-xfer/named-xfer usr/libexec/
uriel:~named# file usr/libexec/named-xfer [103]
usr/libexec/named-xfer: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1, statically linked, not stripped
uriel:~named# strip named [104]
uriel:~named# strip usr/libexec/named-xfer [105]
uriel:~named# chgrp named var/run/ [109]
uriel:~named# chmod 775 var/run/ [110]
additionally:
# rm /var/run/ndc
[named's old socket - it uses /chroot/named/var/run/ndc now]
# rm /var/run/named.pid
# ln -s /chroot/named/var/run/named.pid /var/run/named.pid
# kill -9 [named] [syslogd]
# syslogd -p /chroot/named/var/run/log -p /var/run/log
# /chroot/named/named -u named -g named -t /chroot/named
[make the calls in /etc/rc and related launch these two as above]
# chmod 000 /usr/sbin/named
[just to make sure no mistakes occur]
[... and proof:]
uriel:/etc# ps ajwx | grep named [201]
root 20167 1 20167 e060c8c0 0 INs ?? 0:00.10 syslogd -p /var/run/log -p /chroot/named/var/run/log
named 20169 1 20169 e0607240 0 INs ?? 0:00.18 /chroot/named/named -u named -g named -t /chroot/named
root 20279 4627 20278 e0606f80 2 SN+ p4 0:00.04 grep named
--fUYQa+Pmc3FrFX/N--