also sprach Marco d'Itri (on Sun, 23 Sep 2001 11:47:33AM +0200): > There are no packaging changes needed. > To chroot bind you just have to fix $OPTS in /etc/init.d/bind9 and > create the two mount binds I described earlier.
marco is right, following his advice, i just chrooted my bind in the most easiest fashion possible. i have always done it way too complicated for i did not know about the mount --bind option. sure, this only works with 2.4.x, but if any chroot changes to bind9 are going public, then this will be bundled with a 2.4.x kernel-image, right? will testing be 2.4.x? i am going to summarize the steps i took to chroot bind9: CHROOTDIR=/var/lib/bind # here i have to say that init.d/bind9 lists /var/lib/named, but since # Debian uses /etc/bind instead of the more common /etc/namedb, i # suggest going all the way. # also, init.d/bind9 suggests running as nobody. i find it better to # have a dedicated user for reasons like protecting reading of # rndc.conf and others. # lastly, i suggest making a directory /var/log/bind to place all # logfiles into, and amending named.conf this is what debconf should do, if the users wants a chroot: 1) add a user "bind" with homedir $CHROOTDIR and /bin/false shell, member of group 'nogroup' 2) mkdir /var/log/bind chown -R bind.adm /var/log/bind chmod 2750 /var/log/bind 3) mkdir -p $CHROOTDIR/{var/{log/bind,run},etc/bind} chown -R bind.nogroup $CHROOTDIR chmod -R 2700 $CHROOTDIR 4) change $OPTS in init.d/bind9 to "-u bind -t $CHROOTDIR" and this is what init.d/bind9 should do at every start, if chrooted 5) function bind_mount() { mount | grep -q $2 && return 1 mount --bind $1 $2 return $? } bind_mount /etc/bind $CHROOTDIR/etc/bind bind_mount /var/log/bind $CHROOTDIR/var/log/bind and this is what init.d/bind9 should do at every stop, if chrooted 6) function bind_unmount() { echo "" > /dev/null while [ $? = 0 ]; do umount $1 &> /dev/null; done } bind_unmount $CHROOTDIR/etc/bind bind_unmount $CHROOTDIR/var/log/bind now, thanks to marco's ingenious hint, you have a chrooted bind, which won't interfere with tripwire, which does not store anything changeable on /var/lib, which happily logs martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" [EMAIL PROTECTED] -- #define emacs eight megabytes and constantly swapping.
pgpY6ll6pkfP7.pgp
Description: PGP signature