|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Kejser (bkejser
yahoo.com)Date: Thu Oct 11 2001 - 08:07:40 CDT
Hi
Have you every considered running bind in a chroot
jail?
I have included the "poorly documented" install script
we use for our installs.
Please Note: I will not provide any support on this
script so don't bother asking me.
Does anyone know of any security holes in bind 8.2.3?
# uncompress
if [ ! -d /usr/src/bind ]; then
mkdir /usr/src/bind
gunzip /tmp/bind-src.tar.gz
tar -xf /tmp/bind-src.tar --directory=/usr/src/bind
fi
# create replace script
if [ -z `cat /usr/src/bind/src/port/linux/Makefile.set
| cut -c11-16 | grep "chroot"` ]; then
echo ':%s/var\/run/chroot\/named\/var\/run/g' >
/tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript
/usr/src/bind/src/port/linux/Makefile.set
rm /tmp/.viscript -f
fi
# create replace script
if [ -z `cat /usr/src/bind/src/bin/named/named.h | cut
-c9-21 | grep "_PATH_NDCSOCK"` ]; then
echo ':%s/"pathnames.h"/"pathnames.h"\r#define
_PATH_NDCSOCK "\/var\/run\/ndc"/g' > /tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript
/usr/src/bind/src/bin/named/named.h
rm /tmp/.viscript -f
fi
# build
make --directory=/usr/src/bind/src -s clean
make --directory=/usr/src/bind/src -s
# check for dir
if [ ! -d /chroot/named ]; then
mkdir /chroot
mkdir /chroot/named
mkdir /chroot/named/dev
mkdir /chroot/named/bin
mkdir /chroot/named/etc
mkdir /chroot/named/etc/namedb
mkdir /chroot/named/lib
mkdir /chroot/named/var
mkdir /chroot/named/var/run
fi
# append user and group
if [ -z `cat /etc/passwd | grep "named"` ]; then
echo
"named:x:200:200:Nameserver:/chroot/named:/bin/false"
>> /etc/passwd
echo "named:x:200:" >> /etc/group
fi
# copy and create config files
cp namedb/* /chroot/named/etc/namedb/ -f
cp named.conf /chroot/named/etc/named.conf -f
cp /etc/localtime /chroot/named/etc -f
echo 'named:x:200:' > /chroot/named/etc/group
# set permissions
chown named:named /chroot/named/var/run
chown -R named:named /chroot/named/etc/namedb
# copy libraries and set links
cp -p /lib/libc-2.1.3.so /chroot/named/lib -f
ln -s libc-2.1.3.so /chroot/named/lib/libc.so.6 -f
cp -p /lib/ld-2.1.3.so /chroot/named/lib -f
ln -s ld-2.1.3.so /chroot/named/lib/ld-linux.so.2 -f
# make a node
if [ ! -e /chroot/named/dev/null ]; then
mknod /chroot/named/dev/null c 1 3
fi
if [ -z `cat /etc/rc.d/init.d/syslog | cut -c26-31 |
grep "chroot"` ]; then
echo ':%s/daemon syslogd -m 0/daemon syslogd -m 0 -a
\/chroot\/named\/dev\/log/g' > /tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript /etc/rc.d/init.d/syslog
rm /tmp/.viscript -f
fi
# move
cp named /etc/rc.d/init.d/named -f
# set permissions
chmod 755 /etc/rc.d/init.d/named
# add to service list
if [ -z `chkconfig --list | cut -c1-5 | grep "named"`
]; then
chkconfig --add named
fi
# turn on
chkconfig --level 3 named on
# cp files
cp /usr/src/bind/src/bin/named/named /chroot/named/bin
-f
cp /usr/src/bind/src/bin/named-xfer/named-xfer
/chroot/named/bin -f
# start the services
/etc/rc.d/init.d/syslog restart
/etc/rc.d/init.d/named start
_______________________________________________________
Do You Yahoo!?
Get your free yahoo.ca address at http://mail.yahoo.ca
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]