After reading a couple of very nice documents about securing BIND[1][2], I decided to write an RPM spec file to facilitate building the chroot jail. So here it is. This could have been done with a simple shell script, but I thought it would be easier to install and maintain if it were done with package management. Wil -- W. Reilly Cooley wcooley nakedape cc Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs Love is the triumph of imagination over intelligence. -- H. L. Mencken
%define name bind-jail
%define release 1
%define chroot-dir /var/chroot/named
# Set this to 1 if you intend to launch named with chroot(8)
# instead of using the -t <chrootdir> option. It might
# provide more security.
%define system_chroot 0
Summary: chroot jail environment for BIND
Name: %{name}
Version: 9.1.3
Release: %{release}
Group: System Environment/Libraries
Copyright: GPL
BuildRoot: %{_tmppath}/%{name}-root
BuildPrereq: bind, bind-utils, glibc, openssl
Prereq: bind
Autoprov: 0
Autoreq: 0
%description
Chroot jail environment for BIND. This is a collection of system
libraries and config files necessary to support running BIND in a
chroot'd jail on Red Hat 7.2.
This RPM attempts to migrate config files over, but only
based on Red Hat default locations. If you use other
locations, you must copy your files manually. Also, you
must edit /etc/sysconfig/syslog and change:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -a /var/chroot/named/dev/log"
%build
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
CHROOT=$RPM_BUILD_ROOT/var/chroot/named
mkdir -p ${CHROOT}/{etc,var,dev}
mkdir -p ${CHROOT}/var/log
mkdir -p ${CHROOT}/var/named
mkdir -p ${CHROOT}/var/run/named
cp -a /etc/localtime ${CHROOT}/etc/
%if %{system_chroot}
mkdir -p ${CHROOT}/lib
cp -a /usr/lib/liblwres* ${CHROOT}/lib
cp -a /usr/lib/libomapi* ${CHROOT}/lib
cp -a /usr/lib/libdns* ${CHROOT}/lib
cp -a /usr/lib/libisc* ${CHROOT}/lib
cp -a /lib/libdl* ${CHROOT}/lib
cp -a /lib/ld-linux.so* ${CHROOT}/lib
cp -a /lib/libcrypto* ${CHROOT}/lib
cp -a /lib/$(uname -m)/libc* ${CHROOT}/lib
cp -a /lib/$(uname -m)/libpthread* ${CHROOT}/lib
mkdir -p ${CHROOT}/sbin
cp -a /usr/sbin/named ${CHROOT}/sbin
%endif
mknod ${CHROOT}/dev/null c 1 3
mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8
mknod ${CHROOT}/dev/urandom c 1 9
%post
# Attempt to migrate existing configuration files
if [ ! -e /var/chroot/named/etc/named.conf ]; then
cp -a /etc/named.conf /var/chroot/named/etc
fi
if [ ! -e /var/chroot/named/etc/rndc.key -a -e /etc/rndc.key ]; then
cp -a /etc/rndc.key /var/chroot/named/etc
chgrp named /var/chroot/named/etc/rndc.key
chmod g+r /var/chroot/named/etc/rndc.key
fi
if [ ! -e /var/chroot/named/var/named/* ]; then
cp -a /var/named/* /var/chroot/named/var/named
fi
# Add sysconfig option:
. /etc/sysconfig/named
if [ ! -n "${ROOTDIR}" ]; then
echo "ROOTDIR=/var/chroot/named" >> /etc/sysconfig/named
fi
%files
%defattr(-,root,named)
%attr(770,named,named) /var/chroot/named/var/run/named
%attr(666,root,root) /var/chroot/named/dev/null
/var/chroot/named/*
%changelog
* Fri Nov 30 2001 Wil Cooley <wcooley nakedape cc>
- Release 1
- Initial creation
Attachment:
pgp00001.pgp
Description: PGP signature