#!/bin/sh # # Kyle Amon # GNUTEC Information Technology Solutions # http://www.gnutec.com/ # amonk@gnutec.com # 203-668-UNIX # # chroot-bind # # Automate the steps necessary to set up BIND in a chroot(2) jail # on FreeBSD systems. # # What the hell, a little sanity # forbindver=8.2.2.p5 PORTVERSION=`grep PORTVERSION /usr/ports/net/bind8/Makefile|awk '{print $2}'` if [ "$forbindver" != "$PORTVERSION" ] ; then echo "Whoa! This script was written for use with a ports collection" echo "containing bind $forbindver and the ports tree on your system" echo "appears to contain bind $PORTVERSION. Make sure this script" echo "will behave as expected on your system prior to running it or" echo "you may be sorry. Edit the script if needed, sending any" echo "improvements to amonk@gnutec.com as context diffs." exit 1 fi # # Make static binaries # cd /usr/ports/net/bind8 make install rm work/src/bin/named/named rm work/src/bin/named-xfer/named-xfer rm work/src/bin/ndc/ndc rm work/src/bin/ndc/ndc.o #sed 's/CDEBUG=-O2/CDEBUG=-O2 -static/g' work/src/.settings > /tmp/.settings.tmp sed 's/CDEBUG=${CFLAGS}/CDEBUG=-O2 -static/g' work/src/.settings > /tmp/.settings.tmp mv /tmp/.settings.tmp work/src/.settings sed 's/\/var\/run\/ndc/\/etc\/namedb\/var\/run\/ndc/g' work/src/bin/ndc/pathnames.h > /tmp/pathnames.h.temp mv /tmp/pathnames.h.temp work/src/bin/ndc/pathnames.h cd work/src make # # Create chroot jail # chmod 2750 /etc/namedb mkdir -m 2750 /etc/namedb/dev mkdir -m 2750 /etc/namedb/etc mkdir -m 2750 /etc/namedb/etc/namedb mkdir -m 2750 /etc/namedb/etc/namedb/pz mkdir -m 2770 /etc/namedb/etc/namedb/sz mkdir -m 2770 /etc/namedb/etc/namedb/stubz mkdir -m 2750 -p /etc/namedb/usr/local/libexec mkdir -m 2750 /etc/namedb/usr/local/sbin mkdir -m 2770 -p /etc/namedb/var/run mkdir -m 2770 /etc/namedb/var/log mkdir -m 2770 /etc/namedb/var/tmp chmod 2750 /etc/namedb/usr chmod 2750 /etc/namedb/usr/local chmod 2750 /etc/namedb/var chown -R root.bind /etc/namedb # # Copy staticly linked binaries into chroot jail # cd /usr/ports/net/bind8 cp work/src/bin/named/named /etc/namedb/usr/local/sbin cp work/src/bin/named-xfer/named-xfer /etc/namedb/usr/local/libexec cp work/src/bin/ndc/ndc /usr/local/sbin/ndc # # Copy/create remaining files necessary for the chroot jail # cp /etc/localtime /etc/namedb/etc mknod /etc/namedb/dev/null c 2 2 ; chmod 666 /etc/namedb/dev/null # # Massage initialization files into shape # rc=/etc/rc.conf echo "" >> $rc echo "# -- generated with chroot-bind for FreeBSD -- #" >> $rc echo "# -- by Kyle Amon -- #" >> $rc echo "# -- GNUTEC Information Technology Solutions -- #" >> $rc echo "# -- http://www.gnutec.com/ -- #" >> $rc echo "# -- amonk@gnutec.com -- #" >> $rc echo "# -- 203-668-UNIX -- #" >> $rc echo 'named_enable="YES"' >> $rc echo 'named_program="/etc/namedb/usr/local/sbin/named"' >> $rc echo 'named_flags="-t /etc/namedb -u bind -g bind /etc/namedb/named.conf"' >> $rc echo 'syslogd_flags="-ss -l /etc/namedb/dev/log"' >> $rc echo "" >> $rc # # Disable original named # chmod 000 /usr/sbin/named chmod 000 /usr/local/sbin/named chmod 000 /usr/sbin/ndc chmod 000 /usr/libexec/named-xfer chmod 000 /usr/local/libexec/named-xfer