ӵ nobody ϱ

Scott Wunsch, scott at wunsch.org
v1.0, 13 March 2000 

 ӽȯ<kilhan@kldp.org>

Ӱ Ȱϼŵ  ڰ  ˷ ּŵ ϴ.  
  ְų ϼż  ˷ ֽø Ʈ Ҽ 
ֵ ϰڽϴ.



    copyright ϴ.

Copyright  Scott Wunsch, 2000.  This document may be distributed
only subject to the terms set forth in the LDP licence at
http://metalab.unc.edu/LDP/COPYRIGHT.html.  This HOWTO is free
documentation; you can redistribute it and/or modify it under the terms
of the LDP licence.  It is distributed in the hope that it will be useful,
but without any warranty;
 without even the impled warranty of merchantability or fitness for a
 particular purpose.  See the LDP licence for more details.

 ϱ ٴ  ϰ ϼ ֵ ġ ִ
 ۼϿϴ.

1.1 ?  

  BINDŰ ġ Ҷ ߰ Ȼ׿
Ͽ Ѵ.  װ bindŰ 'chroot'ܺη аų ٸ
㰡   ϴ° ǹѴ.   ̰ 'root'(ý
)̿ ڷμ Ҽ ֵ Ұ̴.  chroot  
 ϴ. BIND ٸ  process chroot  ǵ ϸ
chroot ܸ̿ ų ٸ filesystem д° Ұϴ.   
  ȿ BIND 丮/chroot/named chrootedǰ  ̴.
׷ ȴٸ BINDν   ִ  丮 /  ˰Եȴ.
chroot  丮  㰡 °̴.  Ƹ Anonymous
FTP  ϴ° α Ͽٸ chroot ؼ ˰̴.


1.2 ?  

chroot BIND ϴ   ڵκ BIND
 ߻Ҽ ִ   ϱ ̴.    BIND
root(ý ) ƴ ڷκ ϰ Ѵ.


1.3 ?  

 ֱ   ִ.
http://www.losurs.org/docs/howto/Chroot-BIND.html BIND the Internet
Software Consortium   http://www.isc.org/bind.html  
ְ ֱ  ֽ  8.2.2_P5 ̴.

1.4 1.5 մϴ.

1.4 How?
 wrote this document based on my experiences in setting BIND up
 in a chroot environment. In my case, I already had an existing
 BIND installation in the form of a package that came with my Linux
 distribution. I'll assume that most of you are probably in the same
 situation, and will simply be transferring over and modifying the
 configuration files from your existing BIND installation, and then
 removing the package before installing the new one. Don't remove the
 package yet, though; we may want some files from it first.

If this is not the case for you, you should still be able to follow
this document. The only difference is that, where I refer to copying an
existing file, you first have to create it yourself. The DNS HOWTO may
be helpful for this.

1.5 Disclaimer

These steps worked for me, on my system. Your mileage may vary. This
is but one way to approach this; there are other ways to set the same
thing up (although the general approach will be the same).

My BIND experience to date has been installing on Linux servers. However,
most of the instructions in this document should be easily applicable to
other flavours of UNIX as well, and I shall try to point out differences
of which I am aware.



2 Preparing the Jail (chroot  غ)

2.1 ڸ ߰մϴ.  

(ۿ named ڸ ߰Ͽϴ. ۿ nobody ϱ⿡ 
κ  ̹ Ǿ  Դϴ.)
/etc/passwd   ߰Ѵ.
named:x:200:200:Nameserver:/chroot/named:/bin/false /etc/group  
߰Ѵ.  named:x:200:

 /bin/false ذ α׿  ϰ ϱ ̴.

2.2 丮  

  丮  .

/chroot
  +-- named
       +-- bin +-- dev +-- etc |    +-- namedb +-- lib +-- var
            +-- run


2.3  BIND Ű .  

̹  BIND ġϰų ؿ
  named.conf zoneȭ  chroot (̵) 
̵ Ѵ.  /etc/named.conf  /chroot/named/etc  zoneȭ
/chroot/named/etc/namedb ű.     .

# cp -p /etc/named.conf /chroot/named/etc/ # cp -a /var/named/*
/chroot/named/etc/namedb/

 master ƴ slave bind ϰ ϰų Ÿ  
BIND zoneȭϿ 㰡 ־ Ұ̴.     ٲ

# chown -R named:named /chroot/named/etc/namedb (  nobody
ϱ⸦ Ƿ # chown -R nobody:nobody /chroot/named/etc/namedb
־ϴ.)

BIND  /var/run pidȭϰ ndc ϴ socket  ִ
㰡 ʿ մϴ.      ݴϴ.  # chown
named:named /chroot/named/var/run (  nobody ϱ⸦
Ƿ # chown -R nobody:nobody /chroot/named/var/run ־ϴ.)


2.4. ýۿ ʿ ȭ ߰ 

BIND chroot ϰ Ǹ
chrootܿ 㰡    ȭϵ(Ư ý ̺귯)
 ʿ մϴ.  Ʒ ɾ ʿ ̺귯 chrootȿ 
ֵ ִ ۾Դϴ.   LINUXӽ ۵ɰ Դϴ.

# cd /chroot/named/lib # cp -p /lib/libc-2.*.so .  # ln -s libc-2.*.so
libc.so.6 # cp -p /lib/ld-2.*.so .  # ln -s ld-2.*.so ld-linux.so.2

BIND chroot ɶ chrootȿ /dev/null ־ մϴ.
/dev/MKDEV  ޴̳ mknod ޴ Ȯ ʽÿ.
Ʒ   LINUXӽ ۵ɰ Դϴ.  # mknod
/chroot/named/dev/null c 1 3

 /etc 丮 chrootȿ   մϴ.  ׸
/etc/localtimeȭ chroot  ؾ߸ BIND log Ȯ
ð ϵɰԴϴ.    groupȭ ؾҰ Դϴ.
   ϼ

# cp /etc/localtime /chroot/named/etc/ # echo 'named:x:200:' >
/chroot/named/etc/group (ó 鶧  GID 200 ذ
 Ͻʽÿ  nobody ϱ  echo 'nobody:x:99:' >
/chroot/named/etc/group Ͽϴ)


2.5 α׻ 

sysclogd Ͽ α׸ ϴ  ΰ ִٰ
մϴ.  ̰ ý   ٸ ֱ  RedHat ϴ
ù°  ϰڽϴ.

 syslogd  ȭ Ͽ ˴ϴ.  /etc/rc.d/init.d/syslog
 ȭ Ʒ κ  ֽʽÿ daemon syslogd -m 0  ̷ daemon
syslogd -m 0 -a /chroot/named/dev/log

  籸 Ͻʽÿ # /etc/rc.d/init.d/syslog stop #
/etc/rc.d/init.d/syslog start

Ʒ  ȭ ߰ߵǸ ΰԴϴ.  /chroot/named/dev
srw-rw-rw-   1 root     root            0 Mar 13 20:58 log

ٸ ..  If you have an older syslogd, then you'll have to find
another way to do your logging. There are a couple programs out there,
such as holelogd, which are designed to help by acting as a ``proxy''
and accepting log entries from the chrooted BIND and passing them out
to the regular /dev/log socket.  Դϴ.

3.BIND  մϴ.  

http://www.isc.org/bind.html  ٸ ̷ Ʈ  ֽ bind մϴ.

3.1 θ  ݴϴ.  (confusingҼ ִٰ մϴ. ^^)

⺻ 丮 /var/run̰ ̰ chrootȿ ġѾ մϴ.
ndc ٸ 丮 ġϱ  ־ մϴ.  
ý̶ ϰ  ȭ    ݴϴ.

src/port/linux/Makefile.set  ȭϳ DESTRUN=/var/run 
DESTRUN=/chroot/named/var/run   ݴϴ.

(While you're in there, you may want to change the other destination
paths from /usr to /usr/local. )

    chrootȿ   ݴϴ.
src/bin/named/named.h ȭ #include "pathnames.h"  #define
_PATH_NDCSOCK    "/var/run/ndc"   ݴϴ.

3.2 ȭ մϴ.  

INSTALLȭ о   ġ ϳ 
 ⸸  ġ  ʽϴ.   ̰͵ INSTALLȭϿ
ִ Ͱ ٸ ʽϴ.  Ʒ    Է ݴϴ.
#make clean #make depend #make

4.Ӱ  BIND ġ մϴ.  

  rpm̳ Ÿ ٸ
ġǾ ִ° ִٸ  ص ϴ.  RedHat ϴ Linux
bind, bind-utils, bind-devel, caching-nameserver ġǾ Դϴ.
/etc/rc.d/init.d/named ũƮ ִٸ  ϴ°
Դϴ.

4.1 chrootۿ ġ 

This is the easy part :-).
/usr/local/sbin/named  Ǽ    000ݴϴ.
#chmod 000 /usr/local/sbin/named

4.2 chrootȿ ġ 

named daemon ȭϰ named-xfer(zone trandfer
 ȭ)   մϴ.  # cp src/bin/named/named /chroot/named/bin
# cp src/bin/named-xfer/named-xfer /chroot/named/bin

4.3  ũƮ ۼմϴ.  

 RedHat 6.0 system 
ϴ.  -u   Ŀ μ   ID մϴ.
-g   Ŀ μ   group մϴ.  -t 
chroot  丮 մϴ.

>>>>daemon /chroot/named/bin/named -u named -g named -t /chroot/named
    Ʒ Ͽϴ.  >>>>daemon
/chroot/named/bin/named -u nobody -g nobody -t /chroot/named


Ʒ ũƮ /etc/rc.d/init.d/named   մϴ.  #!/bin/sh # #
named           This shell script takes care of starting and stopping #
named (BIND DNS server).  # # chkconfig: 345 55 45 # description: named
(BIND) is a Domain Name Server (DNS) \ # that is used to resolve host
names to IP addresses.  # probe: true

# Source function library.  . /etc/rc.d/init.d/functions

# Source networking configuration.  . /etc/sysconfig/network

# Check that networking is up.  [ ${NETWORKING} = "no" ] && exit 0

[ -f /chroot/named/bin/named ] || exit 0

[ -f /chroot/named/etc/named.conf ] || exit 0

# See how we were called.  case "$1" in
  start)
        # Start daemons.  echo -n "Starting named: " daemon
        /chroot/named/bin/named -u named -g named -t /chroot/named echo
        touch /var/lock/subsys/named ;;
  stop)
        # Stop daemons.  echo -n "Shutting down named: " killproc named
        rm -f /var/lock/subsys/named echo ;;
  status)
        /usr/local/sbin/ndc status exit $?  ;;
  restart)
        /usr/local/sbin/ndc restart exit $?  ;;
  reload)
        /usr/local/sbin/ndc reload exit $?  ;;
  probe)
        # named knows how to reload intelligently; we don't want linuxconf
        # to offer to restart every time /usr/local/sbin/ndc reload
        >/dev/null 2>&1 || echo start exit 0 ;;
  *)
        echo "Usage: named {start|stop|status|restart}" exit 1
esac

exit 0


4.4   

named.conf     ؾ  𸨴ϴ.
ؾ Ұ͵ Ʒ Դϴ.

directory "/etc/namedb"; pid-file "/var/run/named.pid"; named-xfer
"/bin/named-xfer";


(%%)  directory ȿٰ /chroot/named/etc  ʽÿ
/chroot / ϹǷ   Ͽٸ  /etc/namedb
̷ ɰ Դϴ.


5. BIND մϴ.  

 RedHat 6.0 system  ϴ.
/etc/rc.d/init.d/named start  ̳ ̹ ۵Ǿ ִ
۵ϴ° ƴ  Ͻʽÿ   ʾҴٸ log 
ǽʽÿ.   ׷ ҽ ҽԴϴ.^^
