I did not have this problem with previous installations of bind. I had
this can't exec /usr/sbin/named-xfer only when I updated to 8.2.2P7.
Anyway, a better way for the init.d script I give below, and just about
every program there should be chroot.
I modified syslog to read daemon syslog -m 0 -a /home/named/dev/log so that
the log messages appear in my main log files.
Not really a lot of diff between your system and mine, except why mine is
not execing /usr/sbin/named-xfer.
Ciao
ST Lim
On Wed, 15 Nov 2000, Daniel Woods wrote:
>> Is it possible to perform an installation of chrooted bind?? That is can
>> I do rpm -ivh --prefix=<chroot> bind?
>>
>> I have a problem with the updated files for bind. It is not able to
>> perform named-xfers... That is:
>> 1. I have the chroot directory install.
>> 2. Modified /etc/init.d/named so that it reads:
>> daemon named -u named -g named -t <chroot>
>> 3. Added the file /usr/sbin/named-xfer to <chroot>/usr/sbin/named-xfer with
>> permissions 0755.
>> 4. Restarted the server and got the message:
>> Nov 14 13:11:49 www named[6343]: chrooted to <chroot>
>> Nov 14 13:11:49 www named[6343]: group = named
>> Nov 14 13:11:49 www named[6343]: user = named
>> Nov 14 13:11:49 www named[6343]: Ready to answer queries.
>> Nov 14 13:11:49 www named[6346]: can't exec
>> /usr/sbin/named-xfer: Permission denied
>> in syslog
>> 5. How??
>
>I use user 'dns' instead of 'named' to not confuse it with the program.
>
>Here's a listing of user 'dns'...
># ls -l /home/dns
>drwx------ 2 dns dns 4096 Sep 9 12:13 dev/
>drwx------ 2 dns dns 4096 Nov 2 12:32 etc/
>drwx------ 2 dns dns 4096 Nov 11 10:29 lib/
>drwx------ 3 dns dns 4096 Sep 4 17:30 usr/
>drwx------ 5 dns dns 4096 Nov 11 10:33 var/
>
>### Each program/file is copied from the system so that it has 'dns' permission
>### and any compromise is restricted to user 'dns'.
>-rw-r--r-- 1 dns dns 2048 Nov 2 12:32 /home/dns/etc/named.conf
>-rwxr-x--- 1 dns dns 5262426 Sep 5 18:33 /home/dns/lib/libc.so.6*
>-rwxr-x--- 1 dns dns 483816 Sep 5 18:33 /home/dns/lib/ld-linux.so.2*
>crw-rw-r-- 1 dns dns 1, 3 Sep 4 17:30 /home/dns/dev/null
>-rwxr-x--- 1 dns dns 583356 Nov 10 14:09 /home/dns/usr/sbin/named*
>-rwxr-x--- 1 dns dns 309116 Nov 10 14:09 /home/dns/usr/sbin/named-xfer*
>-rwxr-x--- 1 dns dns 39708 Nov 10 14:09 /home/dns/usr/sbin/ndc*
>lrwxrwxrwx 1 dns dns 18 Nov 11 10:33 /home/dns/var/named.log ->
>/var/log/named.lo
>-rw-r----- 1 dns dns 2769 Sep 4 04:07 /home/dns/var/named/named.ca
>-rw-r----- 1 dns dns 330 Nov 2 11:11
>/home/dns/var/named/named.local
>-rw-r----- 1 dns dns 828 Nov 2 11:16 /home/dns/var/named/com.mysite
>-rw-r----- 1 dns dns 0 Nov 11 10:41
>/home/dns/var/lock/subsys/named
>
>### I also made these links (ln -s) to make sure things point to the right place.
>/etc/named.conf -> /home/dns/etc/named.conf
>/var/named -> /home/dns/var/named/
>
>
>### I modified /etc/rc.d/init.d/named (latest bind security fix) to look like this...
>### (Perhaps Mandrake can make similar changes)
>
>#!/bin/sh
>#
># named This shell script takes care of starting and stopping
># named (BIND DNS server).
>#
># chkconfig: 2345 55 45
># description: named (BIND) is a Domain Name Server (DNS) \
># that is used to resolve host names to IP addresses.
># probe: true
>
>CHROOT=/home/dns
>
># Source function library.
>. /etc/rc.d/init.d/functions
>
># Source networking configuration.
>. /etc/sysconfig/network
>
># Check that networking is up.
>[ ${NETWORKING} = "no" ] && exit 0
>
>[ -f $CHROOT/usr/sbin/named ] || exit 0
>
>[ -f $CHROOT/etc/named.conf ] || exit 0
>
>RETVAL=0
>
># See how we were called.
>case "$1" in
> start)
> # Start daemons.
> echo -n "Starting named: "
> daemon $CHROOT/usr/sbin/named -u dns -g dns
> RETVAL=$?
> [ $RETVAL -eq 0 ] && touch $CHROOT/var/lock/subsys/named
> echo
> ;;
> stop)
> # Stop daemons.
> echo -n "Shutting down named: "
> killproc $CHROOT/usr/sbin/named
> RETVAL=$?
> [ $RETVAL -eq 0 ] && rm -f $CHROOT/var/lock/subsys/named
> echo
> ;;
> status)
> $CHROOT/usr/sbin/ndc status
> exit $?
> ;;
> restart)
> $0 stop
> $0 start
> ;;
> reload)
> $CHROOT/usr/sbin/ndc reload
> exit $?
> ;;
> probe)
> # named knows how to reload intelligently; we don't want linuxconf
> # to offer to restart every time
> $CHROOT/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
> exit 0
> ;;
>
> *)
> echo "Usage: $CHROOT/usr/sbin/named {start|stop|status|restart}"
> exit 1
>esac
>
>exit $RETVAL
>
>
>### This has been working well for me.
>
>Thanks... Dan.
>
>
>
