|
|
This was taken from http://www.fxp.org/jedgar/misc/bind.jail.txt
but I added a step or two that he skipped.
To set up jail'd bind, assumes jail dir of /home/jail/bind:
- checkout the following:
cvs co -PA -rRELENG_4 src/contrib/bind \
src/lib/libbind \
src/lib/libisc \
src/libexec/named-xfer \
src/usr.sbin/named
- create all necessary directories
mkdir -p /home/jail/bind/etc/namedb
mkdir -p /home/jail/bind/usr/libexec
mkdir -p /home/jail/bind/usr/sbin
mkdir -p /home/jail/bind/var/run
mkdir -p /home/jail/bind/var/tmp
mkdir -p /home/jail/bind/var/log
mkdir -p /home/jail/bind/dev
chmod -R 750 /home/jail/bind
chown -R root:bind /home/jail/bind
mknod /home/jail/bind/dev/null c 2 2 0:0
chmod 666 /home/jail/bind/dev/null
ln -fs /home/jail/bind/var/run/ndc /var/run
ln -fs /home/jail/bind/var/log named
ln -fs /home/jail/bind/etc/namedb /etc/namedb
- compile/install the static binaries:
cd src/lib/libbind && make obj && make depend && \
make NOMAN=YES NOSHARED=YES NOPROFILE=YES all
cd ../libisc && make obj && make depend && \
make NOMAN=YES NOSHARED=YES NOPROFILE=YES all
cd ../../libexec/named-xfer && make obj && make depend && \
make NOMAN=YES NOSHARED=YES BINDIR=/home/jail/bind/usr/libexec \
all install
cd ../../usr.sbin/named && make obj && make depend && \
make NOMAN=YES NOSHARED=YES BINDIR=/home/jail/bind/usr/sbin \
all install
- copy configs to /home/jail/bind/etc/namedb
edit configs to point logs to /var/log
edit configs to use the right IP address or "any;"
- create minimal /etc/{group,hosts,master.passwd} in /home/jail/bind/etc,
group:
wheel:*:0:root
bind:*:53:
master.passwd:
root:*:0:0::0:0:r00t:/:/dev/null
bind:*:53:53::0:0:Bind Sandbox:/:/dev/null
hosts:
w.x.y.z hostname.example.com hostname
passwd:
root:*:0:0:r00t:/:/dev/null
bind:*:53:53:Bind Sandbox:/:/dev/null
and rebuild the password db's
pwd_mkdb -d /home/jail/bind/etc master.passwd
and verify permissions in /home/jail/bind/etc are something like:
-rw-r----- 1 root bind 26 Feb 7 23:29 group
-rw-r----- 1 root bind 89 Feb 7 23:29 hosts
-rw------- 1 root bind 88 Feb 7 23:29 master.passwd
drwxr-x--- 2 root bind 512 Feb 7 23:29 namedb
-rw-r----- 1 root bind 78 Feb 7 23:29 passwd
-rw-r----- 1 root bind 40960 Feb 7 23:29 pwd.db
-rw------- 1 root bind 40960 Feb 7 23:29 spwd.db
- place 'ln -fs /home/jail/bind/var/run/ndc /var/run/ndc' in /etc/rc.local
to allow ndc(8) to find the correct socket without having to specify the
-c option (you may not want to do this if you have multiple jail'd binds)
- add "-l /home/jail/bind/var/run/log" to syslogd_flags in /etc/rc.conf
(and restart syslogd with the added args)
- execute: jail /home/jail/bind <hostname> <ip> /usr/sbin/named -u bind -g bind
also, you may wish to add the following to /etc/rc.conf:
named_enable="YES"
named_flags="-u bind -g bind"
named_program="jail /home/jail/bind <hostname> <ip> /usr/sbin/named"
- you may need to copy /etc/localtime to /home/bind/etc/localtime in order
for the correct times to be logged
|
|
|