Next
Previous
Contents
I should mention that if you have an existing installation of BIND, such as from
an RPM, you should probably remove it before installing the new one. On Red Hat
systems, this probably means removing the packages bind and
bind-utils, and possibly bind-devel and caching-nameserver, if
you have them.
You may want to save a copy of the init script (e.g.,
/etc/rc.d/init.d/named), if any, before doing so; it'll be useful later
on.
This is the easy part :-). Just run make install and let it take care of
it for you. You may want to chmod 000 /usr/local/sbin/named afterwards,
to make sure you don't accidentally run the non-chrooted copy of BIND. (This
is /usr/sbin/named if you didn't tell it to go in /usr/local/sbin
like I suggested.)
Only two parts of the package have to live inside the chroot jail: the main
named daemon itself, and named-xfer, which it uses for zone transfers.
You can simply copy them in from the source tree:
# cp src/bin/named/named /chroot/named/bin
# cp src/bin/named-xfer/named-xfer /chroot/named/bin
If you have an existing init script from your distribution, it would probably be
best simply to modify it to run /chroot/named/bin/named, with the
appropriate switches. The switches are... (drumroll please...)
-u named, which tells BIND to run as the user named, rather than
root.-g named, to run BIND under the group named too, rather than
root or wheel.-t /chroot/named, which tells BIND to chroot itself to the jail
that we've set up.
The following is the init script I use with my Red Hat 6.0 system. As you can
see, it is almost exactly the same as the way it shipped from Red Hat. I have
also modified the ndc restart command so that it restarts the server
properly, and keeps it chrooted. You should probably do the same in your init
script, even if you don't copy this one.
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /chroot/named/bin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /chroot/named/bin/named -u named -g named -t /chroot/named
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
rm -f /var/lock/subsys/named
echo
;;
status)
/usr/local/sbin/ndc status
exit $?
;;
restart)
/usr/local/sbin/ndc -n /chroot/named/bin/named "restart -u named -g named -t /chroot/named"
exit $?
;;
reload)
/usr/local/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit 0
On Caldera OpenLinux systems, you simply need to modify the variables defined
at the top, and it will apparently take care of the rest for you:
NAME=named
DAEMON=/chroot/named/bin/$NAME
OPTIONS="-t /chroot/named -u named -g named"
You will also have to add or change a few options in your named.conf to
keep the various directories straight. In particular, you should add (or
change, if you already have them) the following directives in the options
section:
directory "/etc/namedb";
pid-file "/var/run/named.pid";
named-xfer "/bin/named-xfer";
Since this file is being read by the named daemon, all the paths are of
course relative to the chroot jail.
Some people have also reported having to add an extra block to their
named.conf to get ndc working properly:
controls {
unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
Next
Previous
Contents
|
