View plain text version
# $Id: chroot-named-solaris,v 1.2 2003/08/05 20:09:15 dlbewley Exp $
# Setup of BIND named in chroot jail on Solaris 9
# Dale Bewley
# This is based on info from a couple of sites:
# http://www.brandonhutchinson.com/Solaris_7_chroot_jail.html
# http://www.cymru.com/Documents/secure-bind-template.html
# This is where we'll be restricted to
CHROOT=/opt/jail/named
# create user and group for named
groupadd -g 53 named
useradd -c "BIND DNS daemon" -d $CHROOT -g named -u 53 -s /bin/false named
## Setup the Chroot
# use setup_chroot from http://www.bewley.net/solaris/setup_chroot
setup_chroot $CHROOT
# this misses a couple of libraries
for file in \
/usr/lib/libpthread.so.1 \
/usr/lib/libthread.so.1 \
/usr/lib/libmd5.so
do
cp $file ${CHROOT}/usr/lib
done
# and it misses a couple of necessary dev files
mknod ${CHROOT}/dev/null c 13 2
mknod ${CHROOT}/dev/log c 21 5
mknod ${CHROOT}/dev/conslog c 21 0
# create passwd in chroot
egrep -e 'named|root' /etc/passwd >> ${CHROOT}/etc/passwd
# i suppose you could be more picky with the group file
cp /etc/group ${CHROOT}/etc
# setup some directories for zone files and etc.
mkdir -p ${CHROOT}/var/named/master
mkdir -p ${CHROOT}/var/named/secondary
mkdir -p ${CHROOT}/var/run
chown -R named:named ${CHROOT}/var
chmod -R 770 ${CHROOT}/var
# install bind
# you might snag a bind pkg from http://www.sunfreeware.com if you are so inclined
pkgadd -R $CHROOT -d bind-9.2.2-sol9-sparc-local
# make bind utils more easily available
for file in dig host nslookup; do
ln -s ${CHROOT}/usr/local/bin/$file /usr/local/bin/$file
done
for file in dnssec-keygen dnssec-makekeyset dnssec-signkey dnssec-signzone named-checkconf named-checkzone rndc rndc-confgen; do
ln -s ${CHROOT}/usr/local/sbin/$file /usr/local/sbin/$file
done
# you might also add ${CHROOT}/usr/local/man to your MANPATH
# create a config file in ${CHROOT}/etc/named.conf
# you might use this one as a start http://www.cymru.com/Documents/secure-bind-template.html
ln -s ${CHROOT}/etc/named.conf /etc/named.conf
# make it more convenient to get to the zone files
ln -s ${CHROOT}/named/var/named /var/named
# also setup an rndc.conf and make all configs private
cd $CHROOT
dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc
KEY=`grep Key *private | awk '{print $2}'`
# put the key into your rndc.conf file something like this:
# key "rndckey" {
# algorithm "hmac-md5";
# secret "${KEY}";
# };
# create a root nameserver hints file
dig . ns > ${CHROOT}/var/named/db.cache
# start named. i couldn't get -t to work
chroot $CHROOT ${CHROOT}/usr/local/sbin/named -c /etc/named.conf -u 53
# install a startup script in /etc/init.d:
################################################################################
#!/sbin/sh
#
# Dale Bewley
# Thu Jul 31 08:49:37 PDT 2003
CHROOT=/opt/jail/named
case "$1" in
'start')
if [ -z "$_INIT_PREV_LEVEL" ]; then
set -- `/usr/bin/who -r`
_INIT_PREV_LEVEL="$9"
fi
[ $_INIT_PREV_LEVEL = 2 -o $_INIT_PREV_LEVEL = 3 ] && exit 0
echo 'starting named'
/usr/local/bin/chroot $CHROOT /usr/local/sbin/named -c /etc/named.conf -u 53
;;
'stop')
echo 'stopping named'
kill `cat ${CHROOT}/var/run/named.pid`
;;
'reload')
/usr/local/sbin/rndc reload
;;
'restart')
$0 stop
$0 start
;;
*)
echo "Usage: $0 { start | stop | reload | restart }"
exit 1
esac
exit 0
################################################################################
# link it into /etc/rc2.d so it starts at bootup
## END ##
# Stop here! The rest of this is a collection of incomplete notes and thoughts
## We might be able to do something like this instead of using the setup_chroot script
# get all the necessary libraries
for lib in `ldd ${CHROOT}/usr/local/sbin/* | awk '{print $3}' | sort -u ` \
/usr/lib/ld.so.1 \
do
cp $lib ${CHROOT}/usr/lib;
done
for file in
netconfig \
nsswitch.conf \
resolv.conf \
default/init
do
cp $file ${CHROOT}/etc;
done
make the dev files...
