|
|
FreeBSD5.2.1-RELEASE-p8
bind9.2.3 installed by port_replace_base
Notes: It is just a install memo of me but not a text for named.
[code:1:d452d51f00]
$ man named
......
OPTIONS
-t directory
chroot() to directory after processing the command line argu-
ments, but before reading the configuration file.
Warning: This option should be used in conjunction with the -u
option, as chrooting a process running as root doesn't enhance
security on most systems; the way chroot() is defined allows a
process with root privileges to escape a chroot jail.
......
# ps -ax|grep named
2611 ?? Ss 0:00.79 /usr/sbin/named -c /etc/namedb/named.conf -u bind
[/code:1:d452d51f00]
the original bind's working directory in FreeBSD5.x
[code:1:d452d51f00]
working directory:
/etc/namedb
/var/run/named
/etc
/dev
files options of the original named.conf:
......
include "/etc/namedb/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
inet ::1 allow { localhost; } keys { "rndc-key"; };
};
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
version "Windows 95";
recursion no;
auth-nxdomain yes;
listen-on-v6 {
any;
};
dump-file "s/named_dump.db";
};
logging {
channel bind_log {
file "/var/log/named/named.log";
severity info;
};
category xfer-out {
bind_log;
};
category default {
default_syslog;
};
};
zone "." {
type hint;
file "named.root";
};
......
[/code:1:d452d51f00]
Then, Let's run a named with "option -t".
Step 1: check what is chroot's named process need.
[code:1:d452d51f00]
+/var/named($chroot)
+---dev/
| +null
| +random
|
+---etc/
| +localtime
| +namedb/
| +named.conf
| +rndc.conf
| +rndc.key
| +*.zone
| +*.rev
| +named.root
| +s/
|
+var/
+log/
| +named/named.log
|
+run/
+named/
+pid
[/code:1:d452d51f00]
Step 3: Make new chroot directory for bind9
[code:1:d452d51f00]
# cd /var/ && mkdir named && cd /var/named
# mkdir -p dev etc/namedb dev var/run/named var/log/named
# cd dev && mknod null c 1 3 && mknod random c 249 0 && chmod 666 *
# cd ../etc && cp /etc/localtime .
# cd namedb ; cp -Rp /etc/namedb/* .
# cd ../../var ; chown -R bind:bind *
[/code:1:d452d51f00]
Step 4: restart named service.
[code:1:d452d51f00]
# kill `cat /var/run/named/pid`
# /usr/sbin/named -t /var/named -c /etc/namedb/named.conf -u bind
# ps -aux | grep named
bind 2858 1.8 1.6 4168 2900 ?? Ss 9:36AM 0:00.13 /usr/sbin/named -t /var/named -c /etc/namedb/named.conf -u bind
# tail /var/log/messages
May 30 09:36:26 tech named[2858]: starting BIND 9.2.3 -t /var/named -c /etc/namedb/named.conf -u bind
May 30 09:36:26 tech named[2858]: command channel listening on 127.0.0.1#953
May 30 09:36:26 tech named[2858]: command channel listening on ::1#953
# /usr/sbin/rndc status
number of zones: 12
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
* It is OK !
[/code:1:d452d51f00]
Step 5: edit the named service option in /etc/rc.conf
[code:1:d452d51f00]
# vi /etc/rc.conf
.....
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-t /var/named -c /etc/namedb/named.conf -u bind"
.....
[/code:1:d452d51f00]
| coolend 回复于:2004-05-31 12:25:20
| First thanks to the building owner ! (*^_^*)
I configure my bind9 according to the above method, but get the
following information:
loading configuration from '/etc/named.conf'
command channel listening on 127.0.0.1#953
could not open entropy source /dev/random: permission denied <-- Why ?
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.168.192.in-addr.arpa/IN: loaded serial 1997022700
zone localhost/IN: loaded serial 42
zone muddyboot.org/IN: loaded serial 42
running
startup succeeded
The permission on <chroot_dir>/dev/random is 0666
No matter how do i change the permission, the error message still exists(even chmod -R 777 <chroot_dir> or chown -R named.named <chroot_dir>)
| | ports 回复于:2004-05-31 19:14:32
| named.named....
redhat?
试试这个:
# cd /var/named/dev && mknod random c 1 8
| |
|
