Bind-Chroot-Howto(Debian)
版本1.3
作者:Falko Timme <falko [dot] timme [at] projektfarm [dot] de>
本文档介绍如何安装DNS服务器绑定在Debian上,以便出于安全考虑,它将用完chroot监狱。
这是一个实践指南; 它不包括理论背景。 他们在网络上的许多其他文档中被处理。
本文档不附带任何形式的保证!
安装绑定和Chroot它apt-get install bind9
出于安全考虑,我们要运行BIND chroot,所以我们必须执行以下步骤:
/etc/init.d/bind9停止
在Debian Sarge(3.1)上:
编辑文件 / etc / default / bind9 ,以便守护进程将作为无特权用户“ 绑定 ”运行,chroot到/ var / lib / named 。 修改行: OPTS =“- u bind ” ,以便它读取OPTS =“ - u bind -t / var / lib / named” :
OPTIONS="-u bind -t /var/lib/named" |
Debian Woody(3.0):
编辑启动脚本 /etc/init.d/bind9 ,以便守护程序将作为无特权用户“ nobody ”运行,chroot到/ var / lib / named 。 修改行: OPTS =“” ,以便它读取OPTS =“ - u nobody -t / var / lib / named” :
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# for a chrooted server: "-u nobody -t /var/lib/named"
OPTS="-u nobody -t /var/lib/named"
test -x /usr/sbin/named || exit 0
case "$1" in
start)
echo -n "Starting domain name service: named"
start-stop-daemon --start --quiet \
--pidfile /var/run/named.pid --exec /usr/sbin/named -- $OPTS
echo "."
;;
stop)
echo -n "Stopping domain name service: named"
/usr/sbin/rndc stop
echo "."
;;
reload)
/usr/sbin/rndc reload
;;
restart|force-reload)
$0 stop
sleep 2
$0 start
;;
*)
echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
|
在/ var / lib下创建必需的目录 :
mkdir -p / var / lib / named / etc
mkdir / var / lib / named / dev
mkdir -p / var / lib / named / var / cache / bind
mkdir -p / var / lib / named / var / run / bind / run
然后将config目录从 / etc 移到 / var / lib / named / etc :
mv / etc / bind / var / lib / named / etc
从旧位置创建新配置目录的符号链接(以避免将来更新绑定时出现问题):
ln -s / var / lib / named / etc / bind / etc / bind
使空和随机设备,并修复目录的权限:
mknod / var / lib / named / dev / null c 1 3
mknod / var / lib / named / dev / random c 1 8
chmod 666 / var / lib / named / dev / null / var / lib / named / dev / random
在Debian Sarge(3.1)上:
chown -R bind:bind / var / lib / named / var / *
chown -R bind:bind / var / lib / named / etc / bind
Debian Woody(3.0):
chown -R nobody:nogroup / var / lib / named / var / *
chown -R nobody:nogroup / var / lib / named / etc / bind
我们需要修改sysklogd的启动脚本/etc/init.d/sysklogd ,以便我们仍然可以将重要的消息记录到系统日志中。 修改行: SYSLOGD =“” ,使其读为: SYSLOGD =“ - a / var / lib / named / dev / log” :
#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd
test -x $binpath || exit 0
# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"
create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root.adm /dev/xconsole
}
running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi
pid=`cat $pidfile`
# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`
# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi
return 0
}
case "$1" in
start)
echo -n "Starting system log daemon: syslogd"
create_xconsole
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
stop)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
;;
reload|force-reload)
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
;;
restart)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
sleep 1
echo -n "Starting system log daemon: syslogd"
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
reload-or-restart)
if running
then
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
else
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi
;;
*)
echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
exit 1
esac
exit 0
|
重新启动日志守护进程:
/etc/init.d/sysklogd restart
启动BIND,并检查/ var / log / syslog是否有任何错误:
/etc/init.d/bind9开始
祝你好运!
