Created
December 26, 2010 14:24
-
-
Save tskrynnyk/755444 to your computer and use it in GitHub Desktop.
Bind9 in jail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| # bind9-chroot.sh: bind9 in jail | |
| # github(at)skrynnyk.pl | |
| # | |
| CHROOTDIR=/var/lib/named | |
| if [ -d $CHROOTDIR ]; then | |
| echo *** $CHROOTDIR exists. | |
| exit 1 | |
| fi | |
| # ------------------------------------------------------------------------------ | |
| echo ' | |
| # Stop the BIND:' | |
| /etc/init.d/bind9 stop | |
| # ------------------------------------------------------------------------------ | |
| echo ' | |
| # Create the necessary directories under /var/lib:' | |
| # mkdir -p ${CHROOTDIR}/{etc,dev,var/cache/bind,var/run/bind/run} | |
| mkdir -p $CHROOTDIR/etc && \ | |
| mkdir $CHROOTDIR/dev && \ | |
| mkdir -p $CHROOTDIR/var/cache/bind && \ | |
| mkdir -p $CHROOTDIR/var/run/bind/run && \ | |
| mkdir -p $CHROOTDIR/var/log/named | |
| echo ' | |
| # Make null and random devices, and fix permissions of the directories:' | |
| mknod $CHROOTDIR/dev/null c 1 3 && \ | |
| mknod $CHROOTDIR/dev/random c 1 8 | |
| chown -R bind:bind $CHROOTDIR/var/* | |
| chmod 666 $CHROOTDIR/dev/{null,random} | |
| echo " | |
| # Then move the config directory from /etc to $CHROOTDIR/etc:" | |
| mv /etc/bind $CHROOTDIR/etc | |
| #chown -R bind:bind $CHROOTDIR/etc/bind | |
| echo ' | |
| # Create a symlink to the new config directory from the old location (to avoid | |
| # problems when bind is upgraded in the future):' | |
| ln -s $CHROOTDIR/etc/bind /etc/bind | |
| echo " | |
| # Move the log directory from /var/log/named to $CHROOTDIR/var/log/name:" | |
| mv /var/log/named $CHROOTDIR/var/log/named | |
| echo ' | |
| # Create a symlink to the new log directory:' | |
| ln -s $CHROOTDIR/var/log/named /var/log/named | |
| # ------------------------------------------------------------------------------ | |
| echo " | |
| # ------------------------------------------------------------------------------ | |
| # | |
| # AND NOW FOR SOMETHING COMPLETELY DIFFERENT | |
| # | |
| # Edit the startup script /etc/init.d/bind9 (/etc/default/bind9) so that the | |
| # daemon will run as the unprivileged user 'bind', chrooted to $CHROOTDIR. | |
| # Modify the line: | |
| # OPTS=\"\" | |
| # so that it reads: | |
| # OPTS=\"-u bind -t $CHROOTDIR\" | |
| # We need to modify the startup script of sysklogd/rsyslogd so that we can | |
| # still get important messages logged to the system logs. | |
| # SYSKLOGD | |
| # (/etc/init.d/sysklogd or /etc/default/sysklogd) | |
| # Modify the line: | |
| # SYSLOGD=\"\" | |
| # so that it reads: | |
| # SYSLOGD=\"-a $CHROOTDIR/dev/log\": | |
| # Restart the logging daemon: | |
| # /etc/init.d/sysklogd restart | |
| # RSYSLOGD | |
| # echo '\$AddUnixListenSocket ${CHROOTDIR}/dev/log' >>/etc/rsyslog.d/bind9-chroot.conf | |
| # Restart the logging daemon: | |
| # /etc/init.d/rsyslog restart | |
| # or | |
| # invoke-rc.d rsyslog restart | |
| # Start up Bind: | |
| # /etc/init.d/bind9 start | |
| # or | |
| # invoke-rc.d bind9 restart | |
| # and check /var/log/syslog for any errors. | |
| " | |
| # ------------------------------------------------------------------------------ | |
| #EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment