View plain text version

# $Id: chroot-named-solaris,v 1.2 2003/08/05 20:09:15 dlbewley Exp $

# Setup of BIND named in chroot jail on Solaris 9
# Dale Bewley 

# This is based on info from a couple of sites:
#  http://www.brandonhutchinson.com/Solaris_7_chroot_jail.html
#  http://www.cymru.com/Documents/secure-bind-template.html

# This is where we'll be restricted to
CHROOT=/opt/jail/named

# create user and group for named
groupadd -g 53 named
useradd -c "BIND DNS daemon" -d $CHROOT -g named -u 53 -s /bin/false named

## Setup the Chroot
# use setup_chroot from http://www.bewley.net/solaris/setup_chroot
setup_chroot $CHROOT

# this misses a couple of libraries
for file in \
    /usr/lib/libpthread.so.1 \
    /usr/lib/libthread.so.1 \
    /usr/lib/libmd5.so 
 do
    cp $file ${CHROOT}/usr/lib
done
# and it misses a couple of necessary dev files
mknod ${CHROOT}/dev/null c 13 2
mknod ${CHROOT}/dev/log c 21 5
mknod ${CHROOT}/dev/conslog c 21 0

# create passwd in chroot
egrep -e 'named|root' /etc/passwd >> ${CHROOT}/etc/passwd
# i suppose you could be more picky with the group file
cp /etc/group  ${CHROOT}/etc

# setup some directories for zone files and etc.
mkdir -p ${CHROOT}/var/named/master
mkdir -p ${CHROOT}/var/named/secondary
mkdir -p ${CHROOT}/var/run
chown -R named:named ${CHROOT}/var
chmod -R 770 ${CHROOT}/var

# install bind
# you might snag a bind pkg from http://www.sunfreeware.com if you are so inclined
pkgadd -R $CHROOT -d bind-9.2.2-sol9-sparc-local

# make bind utils more easily available
for file in dig host nslookup; do
    ln -s ${CHROOT}/usr/local/bin/$file /usr/local/bin/$file
done
for file in dnssec-keygen dnssec-makekeyset dnssec-signkey dnssec-signzone named-checkconf named-checkzone rndc rndc-confgen; do
    ln -s ${CHROOT}/usr/local/sbin/$file /usr/local/sbin/$file
done
# you might also add ${CHROOT}/usr/local/man to your MANPATH

# create a config file in ${CHROOT}/etc/named.conf
# you might use this one as a start http://www.cymru.com/Documents/secure-bind-template.html
ln -s ${CHROOT}/etc/named.conf /etc/named.conf
# make it more convenient to get to the zone files
ln -s ${CHROOT}/named/var/named /var/named

# also setup an rndc.conf and make all configs private
cd $CHROOT
dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc
KEY=`grep Key *private | awk '{print $2}'`
# put the key into your rndc.conf file something like this:
# key "rndckey" {
#        algorithm       "hmac-md5";
#        secret          "${KEY}";
# };

# create a root nameserver hints file 
dig . ns > ${CHROOT}/var/named/db.cache

# start named. i couldn't get -t to work
chroot $CHROOT ${CHROOT}/usr/local/sbin/named -c /etc/named.conf -u 53

# install a startup script in /etc/init.d:
################################################################################
#!/sbin/sh
#
# Dale Bewley 
# Thu Jul 31 08:49:37 PDT 2003

CHROOT=/opt/jail/named

case "$1" in
'start')
        if [ -z "$_INIT_PREV_LEVEL" ]; then
                set -- `/usr/bin/who -r`
                _INIT_PREV_LEVEL="$9"
        fi

        [ $_INIT_PREV_LEVEL = 2 -o $_INIT_PREV_LEVEL = 3 ] && exit 0

        echo 'starting named'
        /usr/local/bin/chroot $CHROOT /usr/local/sbin/named -c /etc/named.conf -u 53

        ;;

'stop')
        echo 'stopping named'
        kill `cat ${CHROOT}/var/run/named.pid`
        ;;

'reload')
        /usr/local/sbin/rndc reload
        ;;

'restart')
        $0 stop
        $0 start
        ;;

*)
        echo "Usage: $0 { start | stop | reload | restart }"
        exit 1
esac
exit 0
################################################################################

# link it into /etc/rc2.d so it starts at bootup

## END ##

# Stop here! The rest of this is a collection of incomplete notes and thoughts

## We might be able to do something like this instead of using the setup_chroot script
# get all the necessary libraries
for lib in `ldd ${CHROOT}/usr/local/sbin/* | awk '{print $3}' | sort -u ` \
    /usr/lib/ld.so.1 \
 do
    cp $lib ${CHROOT}/usr/lib;
done

for file in
    netconfig \
    nsswitch.conf \
    resolv.conf \
    default/init 
do
    cp $file ${CHROOT}/etc;
done

make the dev files...