Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 21. Software -NetworkingNext

21.7. The syslog daemon

We must tell syslogd the syslog daemon program about the new chrooted service, since normally, processes talk to syslogd through /dev/log. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to /chroot/named/dev/log instead of the default dev/log. To do this, edit the syslog startup script file to specify additional places to listen.

Edit the syslog script file vi +24 /etc/rc.d/init.d/syslog and change the line: 

 daemon syslogd -m 0
To read: 

 daemon syslogd -m 0 -a /chroot/named/dev/log

The default named script file of ISC BIND/DNS starts the daemon named outside the chroot jail. We must change it to start named from the chroot jail. Edit the named script file vi /etc/rc.d/init.d/named and change the lines: 

  1. 
 [ -f /usr/sbin/named ] || exit 0
    To read: 
    
 [ -f /chroot/named/usr/sbin/named ] || exit 0
 

  2. 
 [ -f /etc/named.conf ] || exit 0
    To read: 
    
 [ -f /chroot/named/etc/named.conf ] || exit 0
 

  3. 
 daemon named
    To read: 
    
 daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed

The -t

option tells named to start up using the new chroot environment.

The -u

option specifies the user to run as.

The -g

option specifies the group to run as.

In BIND 8.2 version, the ndc command of ISC BIND/DNS software became a binary file; before, it was a script file, which renders the shipped ndc useless in this setting. To fix it, the ISC BIND/DNS package must be compiled again from source. To do this, in the top level of ISC BIND/DNS source directory.

  1. For ndc utility: 
    
 [root@deep] /# cp bind-src.tar.gz /vat/tmp
 [root@deep] /# cd /var/tmp/
 [root@deep ]/tmp# tar xzpf bind-src.tar.gz
 [root@deep ]/tmp# cd src
 [root@deep ]/src# cp port/linux/Makefile.set port/linux/Makefile.set-orig

  2. Edit the Makefile.set file, vi port/linux/Makefile.set to make the changes listed below: 
    
 'CC=egcs -D_GNU_SOURCE'
 'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -g
 'DESTBIN=/usr/bin'
 'DESTSBIN=/chroot/named/usr/sbin'
 'DESTEXEC=/chroot/named/usr/sbin'
 'DESTMAN=/usr/man'
 'DESTHELP=/usr/lib'
 'DESTETC=/etc'
 'DESTRUN=/chroot/named/var/run'
 'DESTLIB=/usr/lib/bind/lib'
 'DESTINC=/usr/lib/bind/include'
 'LEX=flex -8 -I'
 'YACC=yacc -d'
 'SYSLIBS=-lfl'
 'INSTALL=install'
 'MANDIR=man'
 'MANROFF=cat'
 'CATEXT=$$N'
 'PS=ps p'
 'AR=ar crus'
 'RANLIB=:'

  3. The difference between the Makefile we used before and this one is that we modify the DESTSBIN=, DESTEXEC=, and DESTRUN= lines to point to the chrooted directory of BIND/DNS. With this modification, the ndc program knows where to find named. 
     
 [root@deep ]/src# make clean
 [root@deep ]/src# make
 [root@deep ]/src# cp bin/ndc/ndc /usr/sbin/
 [root@deep ]/src# cp: overwrite `/usr/sbin/ndc'? y
 [root@deep ]/src# strip /usr/sbin/ndc
    We build the binary file, then copy the result of ndc program to /usr/sbin and overwrite the old one. We dont forget to strip our new ndc binary for better performance.

PrevHomeNext
Run ISC BIND/DNS in a chroot jailUpClean-up and Test the new chrooted jail