#!/bin/sh # # Kyle Amon # GNUTEC Information Technology Solutions # http://www.gnutec.com/ # amonk@gnutec.com # 203-668-UNIX # # Automate the steps necessary to set up BIND in a chroot(2) jail on # FreeBSD 3.3 systems. # # What the hell, a little sanity # if [ "`uname -sr`" != "FreeBSD 3.3-RELEASE" ] ; then echo "Whoa! This script was written for FreeBSD 3.3 and your system" echo "appears to be `uname -sr`. Before running it, make sure" echo "it will behave as expected on your system or you may be sorry." echo "Just edit the script as needed. Improve it if you like." exit 1 fi # # Make static binaries # cd /usr/ports/net/bind8 make install rm work/src/bin/named/named rm work/src/bin/named-xfer/named-xfer rm work/src/bin/ndc/ndc rm work/src/bin/ndc/ndc.o sed 's/CDEBUG=-O2/CDEBUG=-O2 -static/g' work/src/.settings > /tmp/.settings.tmp mv /tmp/.settings.tmp work/src/.settings sed 's/\/var\/run\/ndc/\/etc\/namedb\/var\/run\/ndc/g' work/src/bin/ndc/pathnames.h > /tmp/pathnames.h.temp mv /tmp/pathnames.h.temp work/src/bin/ndc/pathnames.h cd work/src make # # Create chroot jail # chmod 2750 /etc/namedb mkdir -m 2750 /etc/namedb/dev mkdir -m 2750 /etc/namedb/etc mkdir -m 2750 -p /etc/namedb/usr/local/libexec mkdir -m 2770 -p /etc/namedb/var/run mkdir -m 2770 /etc/namedb/var/log mkdir -m 2770 /etc/namedb/var/tmp mkdir -m 2750 /etc/namedb/pz mkdir -m 2770 /etc/namedb/sz mkdir -m 2770 /etc/namedb/stubz chmod 2750 /etc/namedb/usr chmod 2750 /etc/namedb/usr/local chmod 2750 /etc/namedb/var chown -R root.bind /etc/namedb # # Copy staticly linked binaries into chroot jail # cd /usr/ports/net/bind8 cp work/src/bin/named/named /etc/namedb cp work/src/bin/named-xfer/named-xfer /etc/namedb/usr/local/libexec cp work/src/bin/ndc/ndc /usr/local/sbin/ndc # # Copy/create remaining files necessary for the chroot jail # cp /etc/localtime /etc/namedb/etc mknod /etc/namedb/dev/null c 2 2 ; chmod 666 /etc/namedb/dev/null # # Massage initialization files into shape # rc=/etc/rc.conf echo "" >> $rc echo "# -- generated with chroot-bind for FreeBSD -- #" >> $rc echo "# -- by Kyle Amon -- #" >> $rc echo "# -- GNUTEC Information Technology Solutions -- #" >> $rc echo "# -- http://www.gnutec.com/ -- #" >> $rc echo "# -- amonk@gnutec.com -- #" >> $rc echo "# -- 203-668-UNIX -- #" >> $rc echo 'named_enable="YES"' >> $rc echo 'named_program="/etc/namedb/named"' >> $rc echo 'named_flags="-t /etc/namedb -u bind -g bind named.conf"' >> $rc echo 'syslogd_flags="-ss -l /etc/namedb/dev/log"' >> $rc echo "" >> $rc # # Disable original named # chmod 000 /usr/sbin/named chmod 000 /usr/local/sbin/named chmod 000 /usr/sbin/ndc