Linux Voodoo Corporation
About Us 866.309.4617 Tracking Shopping Cart Checkout
Shop Account Customer Care Services Resources
Overview Books Mailing Lists Search Howtos
 
  You are here: » Main » Howto's Log In  | Financing  
Swartz Creek, Michigan: Linux Voodoo offers Linux consulting (and support) services (both free and commercial), Linux compatible hardware and software reviews and sales, Linux servers and desktop, the Voodoo Linux distribution and hardening systems, Linux driver development, Linux news,chat, message boards, Linux embedded jobs, security advisories, Linux howto's and newbie information. linux download red hat directpc direct pc linux linux software linux driver linux tutorial linux mandrake mandrake linux linux command netapp linux mount windows source decss linux game linux hp suse linux linux downloads linux firewall linux server linux programming linux red hat wine linux linux ppt linux operating system embedded linux linux distribution corel linux free linux free linux download linux help force 10baset linux linux laptop reset linux scsi d kill tape /proc linux router linux pda linux wallpaper red hat linux download linux kernel linux router project linux iso linux howto linux how to linux os linux application linux certification linux web hosting linux hosting linux modem peanut linux nokia rs 232 linux modem setting linux for window linux free download linux documentation project linux sms1 linux call back linux problem reading directory linux boot disk linux theme linux cluster linux closing port linux security dialogic linux linux emulator linux training linux startup dual boot window 2000 linux linux magazine linux auto rpm realtek rtl8019 linux driver download robomon linux linux estrutura de diretorios 3c589d config linux timeservice linux linux samba linux dvd player linux .ppt mplayer near download and linux red hat linux 7.2 linux mail server free linux software linux hardwarelinux anti virus redmond linux linux modem driver linux vpn pic microcontroller linux programmer aol for linux linux review linux wireless
contact us: abuse@flonetwork.com webmaster@flonetwork.com info@webmaster@flonetwork.com spampoision@lnxvoodoo.com noc@sprint.net webmaster@lnxvoodoo.com wlad@lnxvoodoo.com michelle@lnxvoodoo.com ryan@lnxvoodoo.com bryan@lnxvoodo.com rambo@lnxvoodoo.com senioreditor@lnxvoodoo.com editor@lnxvoodoo.com
WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.
  Start shopping
Notebooks
notebooks 

 

Desktops
desktops 

 

Servers
servers 

 

Appliances
appliances 

 

Accessories
accessories 

 

Software
software 
Howto's  
Next Previous Contents

2. Preparing the Jail

2.1 Creating a User

As mentioned in the introduction, it's not a good idea to run BIND as root. So, before we begin, let's create a separate user for BIND. Note that you should never use an existing generic user like nobody for this purpose. However, some distributions, such as SuSE and Linux Mandrake have started providing a specific user (generally called named); you can simply adapt this user for our purposes, if you like.

This requires adding a line something like the following to /etc/passwd: 

named:x:200:200:Nameserver:/chroot/named:/bin/false
And one like this to /etc/group: 
named:x:200:
This creates a user and group called named for BIND. Make sure that the UID and GID (both 200 in this example) are unique on your system. The shell is set to /bin/false because this user will never need to log in.

2.2 Directory Structure

Now, we must set up the directory structure that we will use for the chroot jail in which BIND will live. This can be anywhere on your filesystem; the truly paranoid may even want to put it on a separate volume. I shall assume that you will use /chroot/named. Let's start by creating the following directory structure: 

/chroot
  +-- named
       +-- bin
       +-- dev
       +-- etc
       |    +-- namedb
       +-- lib
       +-- var
            +-- run

2.3 Placing the BIND Data

Assuming that you have already done a conventional installation of BIND and are using it, you will already have an existing named.conf and zone files. These files must now be moved (or copied, to be safe) into the chroot jail, so that BIND can get at them. named.conf goes in /chroot/named/etc, and the zone files can go in /chroot/named/etc/namedb. For example: 

# cp -p /etc/named.conf /chroot/named/etc/

# cp -a /var/named/* /chroot/named/etc/namedb/

BIND will likely need to write to the namedb directory, and probably some of the files in it. For example, if your DNS serves as a slave for a zone, it will have to update that zone file. Also, BIND can dump statistical information, and does so in this directory. For that reason, you should probably make the named user the owner of this directory and its contents: 

# chown -R named:named /chroot/named/etc/namedb
BIND will also need to write to the /var/run directory, to put its pidfile and ndc socket there, so let's allow it to do so: 
# chown named:named /chroot/named/var/run

2.4 System Support Files

Once BIND is running in the chroot jail, it will not be able to access files outside the jail at all. However, it needs to access a few key files, such as the system's C library. Exactly what libraries are required will depend on your flavour of UNIX. For most modern Linux systems, the following commands will be sufficient to put the necessary libraries in place: 

# cd /chroot/named/lib
# cp -p /lib/libc-2.*.so .
# ln -s libc-2.*.so libc.so.6
# cp -p /lib/ld-2.*.so .
# ln -s ld-2.*.so ld-linux.so.2
As an alternative, you could simply build statically-linked versions of the BIND binaries to put in your chroot jail. You should also copy ldconfig into the jail, and run it to create an etc/ld.so.cache for the jail environment. The following commands could take care of this: 
# cp /sbin/ldconfig /chroot/named/bin/
# chroot /chroot/named /bin/ldconfig -v

BIND needs one more system file in its jail: good ol' /dev/null. Again, the exact command necessary to create this device node may vary from system to system; check your /dev/MAKEDEV script to be sure. Some systems may also require /dev/zero. For most Linux systems, we can use the following command: 

# mknod /chroot/named/dev/null c 1 3

Finally, you need a couple extra files in the /etc directory inside the jail. In particular, you must copy /etc/localtime (this sometimes known as /usr/lib/zoneinfo/localtime on some systems) in there so that BIND logs things with the right time on them, and you must make a simple group file with the named group in it. The following two commands will take care of this: 

# cp /etc/localtime /chroot/named/etc/

# echo 'named:x:200:' > /chroot/named/etc/group

Keep in mind that the GID, 200 in this example, must match the one you defined in the real /etc/group above.

2.5 Logging

Unlike a conventional jailbird, BIND can't just scribble its log entries on the walls :-). Normally, BIND logs through syslogd, the system logging daemon. However, this type of logging is performed by sending the log entries to the special socket /dev/log. Since this is outside the jail, BIND can't use it any more. Fortuantely, there are a couple options to work around this.

The Ideal Solution

The ideal solution to this dilemma requires a reasonably recent version of syslogd which supports the -a switch introduced by OpenBSD. Check the manpage for your syslogd(8) to see if you have such a version.

If you do, all you have to do is add the switch ``-a /chroot/named/dev/log'' to the command line when you launch syslogd. On systems which use a full SysV-init (which includes most Linux distributions), this is typically done in the file /etc/rc.d/init.d/syslog. For example, on my Red Hat Linux system, I changed the line 

daemon syslogd -m 0
to 
daemon syslogd -m 0 -a /chroot/named/dev/log

On Caldera OpenLinux systems, they use a daemon launcher called ssd, which reads configuration from /etc/sysconfig/daemons/syslog. You simply need to modify the options line to look like this: 

OPTIONS_SYSLOGD="-m 0 -a /chroot/named/dev/log"

Similarly, on SuSE systems, I'm told that the best place to add this switch is in the /etc/rc.config file. Changing the line 

SYSLOGD_PARAMS=""
to read 
SYSLOGD_PARAMS="-a /chroot/named/dev/log"
should do the trick.

Once you've figured out how to make this change for your system, simply restart syslogd, either by killing it and launching it again (with the extra parameters), or by using the SysV-init script to do it for you: 

# /etc/rc.d/init.d/syslog stop
# /etc/rc.d/init.d/syslog start

Once it's been restarted, you should see a ``file'' in /chroot/named/dev called log, that looks something like this: 

srw-rw-rw-   1 root     root            0 Mar 13 20:58 log

The Other Solutions

If you have an older syslogd, then you'll have to find another way to do your logging. There are a couple programs out there, such as holelogd, which are designed to help by acting as a ``proxy'' and accepting log entries from the chrooted BIND and passing them out to the regular /dev/log socket.

Alteratively, you can simply configure BIND to log to files instead of going through syslog. See the BIND documentation for more details if you choose to go this route.

Next Previous Contents
Continue
 



P
System Builder

Now Shipping from: California - Florida - Georgia - Massachusetts - Michigan - New Jersey - Pennsylvania - Tennessee - Texas
We only ship within the USA and APO's.
We do not ship on national US holidays or on weekends.
Linux Voodoo RSS Store Feed
About Us  |  Contact Us  |  Conditions of Use  |  Privacy Notice  |  Warranty & Returns  |  Employment |  PHP HTML Form Builder

Copyright © 2003, Linux Voodoo Corporation All rights reserved. Linux is a trademark of Linus Torvalds.
email-addresses
Asterisk Debian Linux, WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.