We must tell syslogd the syslog daemon program about the new chrooted service, since normally, processes talk to syslogd through /dev/log. As a result of the chroot
jail, this won't be possible, so syslogd needs to be told to listen to /chroot/named/dev/log instead of the default dev/log. To do this, edit the syslog startup script file to specify
additional places to listen.
Edit the syslog script file vi +24 /etc/rc.d/init.d/syslog and change the line:
To read:
daemon syslogd -m 0 -a /chroot/named/dev/log
|
The default named script file of ISC BIND/DNS starts the daemon named outside the chroot jail. We must change it to start named from the
chroot jail. Edit the named script file vi /etc/rc.d/init.d/named and change the lines:
[ -f /usr/sbin/named ] || exit 0
|
To read:
[ -f /chroot/named/usr/sbin/named ] || exit 0
|
[ -f /etc/named.conf ] || exit 0
|
To read:
[ -f /chroot/named/etc/named.conf ] || exit 0
|
To read:
daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
|
- The -t
option tells named to start up using the new chroot environment.
- The -u
option specifies the user to run as.
- The -g
option specifies the group to run as.
In BIND 8.2 version, the ndc command of ISC BIND/DNS software became a binary file; before, it was a script file, which
renders the shipped ndc useless in this setting. To fix it, the ISC BIND/DNS package must be compiled again from source.
To do this, in the top level of ISC BIND/DNS source directory.
For ndc utility:
[root@deep] /# cp bind-src.tar.gz /vat/tmp
[root@deep] /# cd /var/tmp/
[root@deep ]/tmp# tar xzpf bind-src.tar.gz
[root@deep ]/tmp# cd src
[root@deep ]/src# cp port/linux/Makefile.set port/linux/Makefile.set-orig
|
Edit the Makefile.set file, vi port/linux/Makefile.set to make the changes listed below:
'CC=egcs -D_GNU_SOURCE'
'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -g
'DESTBIN=/usr/bin'
'DESTSBIN=/chroot/named/usr/sbin'
'DESTEXEC=/chroot/named/usr/sbin'
'DESTMAN=/usr/man'
'DESTHELP=/usr/lib'
'DESTETC=/etc'
'DESTRUN=/chroot/named/var/run'
'DESTLIB=/usr/lib/bind/lib'
'DESTINC=/usr/lib/bind/include'
'LEX=flex -8 -I'
'YACC=yacc -d'
'SYSLIBS=-lfl'
'INSTALL=install'
'MANDIR=man'
'MANROFF=cat'
'CATEXT=$$N'
'PS=ps p'
'AR=ar crus'
'RANLIB=:'
|
The difference between the Makefile we used before and this one is that we modify the DESTSBIN=, DESTEXEC=, and DESTRUN= lines to point to the chrooted directory
of BIND/DNS. With this modification, the ndc program knows where to find named.
[root@deep ]/src# make clean
[root@deep ]/src# make
[root@deep ]/src# cp bin/ndc/ndc /usr/sbin/
[root@deep ]/src# cp: overwrite `/usr/sbin/ndc'? y
[root@deep ]/src# strip /usr/sbin/ndc
|
We build the binary file, then copy the result of ndc program to /usr/sbin and overwrite the old one. We dont forget to strip our new ndc binary for better performance.
