We must tell syslogd the syslog daemon program about the new chrooted service, since normally, processes talk to syslogd through /dev/log. As a result of the chroot
jail, this won't be possible, so syslogd needs to be told to listen to /chroot/named/dev/log instead of the default dev/log. To do this, edit the syslog startup script file to specify
additional places to listen.
Edit the syslog script file vi +24 /etc/rc.d/init.d/syslog and change the line:
daemon syslogd -m 0
To read:
daemon syslogd -m 0 -a /chroot/named/dev/log
The default named script file of ISC BIND/DNS starts the daemon named outside the chroot jail. We must change it to start named from the
chroot jail. Edit the named script file vi /etc/rc.d/init.d/named and change the lines:
[ -f /usr/sbin/named ] || exit 0
To read:
[ -f /chroot/named/usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
To read:
[ -f /chroot/named/etc/named.conf ] || exit 0
daemon named
To read:
daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
option tells named to start up using the new chroot environment.
option specifies the user to run as.
option specifies the group to run as.
In BIND 8.2 version, the ndc command of ISC BIND/DNS software became a binary file; before, it was a script file, which renders the shipped ndc useless in this setting. To fix it, the ISC BIND/DNS package must be compiled again from source. To do this, in the top level of ISC BIND/DNS source directory.
For ndc utility:
[root@deep] /# cp bind-src.tar.gz /vat/tmp [root@deep] /# cd /var/tmp/ [root@deep ]/tmp# tar xzpf bind-src.tar.gz [root@deep ]/tmp# cd src [root@deep ]/src# cp port/linux/Makefile.set port/linux/Makefile.set-orig
Edit the Makefile.set file, vi port/linux/Makefile.set to make the changes listed below:
'CC=egcs -D_GNU_SOURCE' 'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -g 'DESTBIN=/usr/bin' 'DESTSBIN=/chroot/named/usr/sbin' 'DESTEXEC=/chroot/named/usr/sbin' 'DESTMAN=/usr/man' 'DESTHELP=/usr/lib' 'DESTETC=/etc' 'DESTRUN=/chroot/named/var/run' 'DESTLIB=/usr/lib/bind/lib' 'DESTINC=/usr/lib/bind/include' 'LEX=flex -8 -I' 'YACC=yacc -d' 'SYSLIBS=-lfl' 'INSTALL=install' 'MANDIR=man' 'MANROFF=cat' 'CATEXT=$$N' 'PS=ps p' 'AR=ar crus' 'RANLIB=:'
The difference between the Makefile we used before and this one is that we modify the DESTSBIN=, DESTEXEC=, and DESTRUN= lines to point to the chrooted directory
of BIND/DNS. With this modification, the ndc program knows where to find named.
[root@deep ]/src# make clean [root@deep ]/src# make [root@deep ]/src# cp bin/ndc/ndc /usr/sbin/ [root@deep ]/src# cp: overwrite `/usr/sbin/ndc'? y [root@deep ]/src# strip /usr/sbin/ndc
We build the binary file, then copy the result of ndc program to /usr/sbin and overwrite the old one. We dont forget to strip our new ndc binary for better performance.