# $Id: chroot-named-solaris,v 1.2 2003/08/05 20:09:15 dlbewley Exp $ # Setup of BIND named in chroot jail on Solaris 9 # Dale Bewley # This is based on info from a couple of sites: # http://www.brandonhutchinson.com/Solaris_7_chroot_jail.html # http://www.cymru.com/Documents/secure-bind-template.html # This is where we'll be restricted to CHROOT=/opt/jail/named # create user and group for named groupadd -g 53 named useradd -c "BIND DNS daemon" -d $CHROOT -g named -u 53 -s /bin/false named ## Setup the Chroot # use setup_chroot from http://www.bewley.net/solaris/setup_chroot setup_chroot $CHROOT # this misses a couple of libraries for file in \ /usr/lib/libpthread.so.1 \ /usr/lib/libthread.so.1 \ /usr/lib/libmd5.so do cp $file ${CHROOT}/usr/lib done # and it misses a couple of necessary dev files mknod ${CHROOT}/dev/null c 13 2 mknod ${CHROOT}/dev/log c 21 5 mknod ${CHROOT}/dev/conslog c 21 0 # create passwd in chroot egrep -e 'named|root' /etc/passwd >> ${CHROOT}/etc/passwd # i suppose you could be more picky with the group file cp /etc/group ${CHROOT}/etc # setup some directories for zone files and etc. mkdir -p ${CHROOT}/var/named/master mkdir -p ${CHROOT}/var/named/secondary mkdir -p ${CHROOT}/var/run chown -R named:named ${CHROOT}/var chmod -R 770 ${CHROOT}/var # install bind # you might snag a bind pkg from http://www.sunfreeware.com if you are so inclined pkgadd -R $CHROOT -d bind-9.2.2-sol9-sparc-local # make bind utils more easily available for file in dig host nslookup; do ln -s ${CHROOT}/usr/local/bin/$file /usr/local/bin/$file done for file in dnssec-keygen dnssec-makekeyset dnssec-signkey dnssec-signzone named-checkconf named-checkzone rndc rndc-confgen; do ln -s ${CHROOT}/usr/local/sbin/$file /usr/local/sbin/$file done # you might also add ${CHROOT}/usr/local/man to your MANPATH # create a config file in ${CHROOT}/etc/named.conf # you might use this one as a start http://www.cymru.com/Documents/secure-bind-template.html ln -s ${CHROOT}/etc/named.conf /etc/named.conf # make it more convenient to get to the zone files ln -s ${CHROOT}/named/var/named /var/named # also setup an rndc.conf and make all configs private cd $CHROOT dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc KEY=`grep Key *private | awk '{print $2}'` # put the key into your rndc.conf file something like this: # key "rndckey" { # algorithm "hmac-md5"; # secret "${KEY}"; # }; # create a root nameserver hints file dig . ns > ${CHROOT}/var/named/db.cache # start named. i couldn't get -t to work chroot $CHROOT ${CHROOT}/usr/local/sbin/named -c /etc/named.conf -u 53 # install a startup script in /etc/init.d: ################################################################################ #!/sbin/sh # # Dale Bewley # Thu Jul 31 08:49:37 PDT 2003 CHROOT=/opt/jail/named case "$1" in 'start') if [ -z "$_INIT_PREV_LEVEL" ]; then set -- `/usr/bin/who -r` _INIT_PREV_LEVEL="$9" fi [ $_INIT_PREV_LEVEL = 2 -o $_INIT_PREV_LEVEL = 3 ] && exit 0 echo 'starting named' /usr/local/bin/chroot $CHROOT /usr/local/sbin/named -c /etc/named.conf -u 53 ;; 'stop') echo 'stopping named' kill `cat ${CHROOT}/var/run/named.pid` ;; 'reload') /usr/local/sbin/rndc reload ;; 'restart') $0 stop $0 start ;; *) echo "Usage: $0 { start | stop | reload | restart }" exit 1 esac exit 0 ################################################################################ # link it into /etc/rc2.d so it starts at bootup ## END ## # Stop here! The rest of this is a collection of incomplete notes and thoughts ## We might be able to do something like this instead of using the setup_chroot script # get all the necessary libraries for lib in `ldd ${CHROOT}/usr/local/sbin/* | awk '{print $3}' | sort -u ` \ /usr/lib/ld.so.1 \ do cp $lib ${CHROOT}/usr/lib; done for file in netconfig \ nsswitch.conf \ resolv.conf \ default/init do cp $file ${CHROOT}/etc; done make the dev files...