> Is it possible to perform an installation of chrooted bind?? That is can
> I do rpm -ivh --prefix=<chroot> bind?
>
> I have a problem with the updated files for bind. It is not able to
> perform named-xfers... That is:
> 1. I have the chroot directory install.
> 2. Modified /etc/init.d/named so that it reads:
> daemon named -u named -g named -t <chroot>
> 3. Added the file /usr/sbin/named-xfer to <chroot>/usr/sbin/named-xfer with
> permissions 0755.
> 4. Restarted the server and got the message:
> Nov 14 13:11:49 www named[6343]: chrooted to <chroot>
> Nov 14 13:11:49 www named[6343]: group = named
> Nov 14 13:11:49 www named[6343]: user = named
> Nov 14 13:11:49 www named[6343]: Ready to answer queries.
> Nov 14 13:11:49 www named[6346]: can't exec
> /usr/sbin/named-xfer: Permission denied
> in syslog
> 5. How??
I use user 'dns' instead of 'named' to not confuse it with the program.
Here's a listing of user 'dns'...
# ls -l /home/dns
drwx------ 2 dns dns 4096 Sep 9 12:13 dev/
drwx------ 2 dns dns 4096 Nov 2 12:32 etc/
drwx------ 2 dns dns 4096 Nov 11 10:29 lib/
drwx------ 3 dns dns 4096 Sep 4 17:30 usr/
drwx------ 5 dns dns 4096 Nov 11 10:33 var/
### Each program/file is copied from the system so that it has 'dns' permission
### and any compromise is restricted to user 'dns'.
-rw-r--r-- 1 dns dns 2048 Nov 2 12:32 /home/dns/etc/named.conf
-rwxr-x--- 1 dns dns 5262426 Sep 5 18:33 /home/dns/lib/libc.so.6*
-rwxr-x--- 1 dns dns 483816 Sep 5 18:33 /home/dns/lib/ld-linux.so.2*
crw-rw-r-- 1 dns dns 1, 3 Sep 4 17:30 /home/dns/dev/null
-rwxr-x--- 1 dns dns 583356 Nov 10 14:09 /home/dns/usr/sbin/named*
-rwxr-x--- 1 dns dns 309116 Nov 10 14:09 /home/dns/usr/sbin/named-xfer*
-rwxr-x--- 1 dns dns 39708 Nov 10 14:09 /home/dns/usr/sbin/ndc*
lrwxrwxrwx 1 dns dns 18 Nov 11 10:33 /home/dns/var/named.log ->
/var/log/named.lo
-rw-r----- 1 dns dns 2769 Sep 4 04:07 /home/dns/var/named/named.ca
-rw-r----- 1 dns dns 330 Nov 2 11:11 /home/dns/var/named/named.local
-rw-r----- 1 dns dns 828 Nov 2 11:16 /home/dns/var/named/com.mysite
-rw-r----- 1 dns dns 0 Nov 11 10:41 /home/dns/var/lock/subsys/named
### I also made these links (ln -s) to make sure things point to the right place.
/etc/named.conf -> /home/dns/etc/named.conf
/var/named -> /home/dns/var/named/
### I modified /etc/rc.d/init.d/named (latest bind security fix) to look like this...
### (Perhaps Mandrake can make similar changes)
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 2345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
CHROOT=/home/dns
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f $CHROOT/usr/sbin/named ] || exit 0
[ -f $CHROOT/etc/named.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon $CHROOT/usr/sbin/named -u dns -g dns
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $CHROOT/var/lock/subsys/named
echo
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc $CHROOT/usr/sbin/named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $CHROOT/var/lock/subsys/named
echo
;;
status)
$CHROOT/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
$CHROOT/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
$CHROOT/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: $CHROOT/usr/sbin/named {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
### This has been working well for me.
Thanks... Dan.
