# chroot named enviroment on RedHat 7.3
# christopher M Downs
# 10.30.02

# obviuosly this is a walk through...
# and hopefully this may become useful in some way to you.

[root@asimov linux]# vi /etc/passwd

named:x:25:25:Named:/var/chroot:/bin/false

# notice that we moved the $HOME from /home/named to /var/chroot we are paraniod right ????

# Make sure your group matches
[root@asimov chroot]# cat /etc/group | grep named
named:x:25:
[root@asimov chroot]#

# Lets setup the Chroot Enviroment

[root@asimov linux]# mkdir /var/chroot
[root@asimov linux]# cd /var/chroot/
[root@asimov chroot]# mkdir -p etc lib dev usr/sbin var/named var/run/named
[root@asimov chroot]# chmod -R 750 /var/chroot/
[root@asimov chroot]# mknod -m 666 dev/null c 1 3
[root@asimov chroot]# mknod -m 666 dev/random c 1 8
[root@asimov chroot]# cp -f /lib/libc.so.6 /var/chroot/lib/
[root@asimov chroot]# cp -f /lib/ld-linux.so.2 /var/chroot/lib/
[root@asimov chroot]# cp -f /usr/sbin/named* /var/chroot/usr/sbin/
[root@asimov chroot]# chmod 750 /var/chroot/usr/sbin/named*

# copy over the required libraries needed for named to run.

cp -f /lib/libc.so.6 /home/chroot/lib
cp -f /lib/ld-linux.so.2 /home/chroot/lib

# copy over named binaries to chroot world
cp -f /usr/sbin/named* /home/chroot/usr/sbin
chmod 750 /home/chroot/usr/sbin/named*

# make sure we never start named out of this jail
chmod 000 /usr/sbin/named

# lets make sure that it owned by named
[root@asimov chroot]# chown -R named:named /var/chroot/
[root@asimov chroot]# cd /var/chroot/
[root@asimov chroot]# ls -l
total 5
drwxr-x---    2 named    named        1024 Oct 30 04:16 dev
drwxr-x---    2 named    named        1024 Oct 30 04:15 etc
drwxr-x---    2 named    named        1024 Oct 30 04:17 lib
drwxr-x---    3 named    named        1024 Oct 30 04:15 usr
drwxr-x---    4 named    named        1024 Oct 30 04:15 var
[root@asimov chroot]#

# copy named.conf over to new chroot jail
cp /etc/named.conf /var/chroot/etc/

# create a new root dns server list
dig @a.root-servers.net . ns > /home/chroot/var/named/root.ca

# change syslog to log to chrooted enviroment

[root@huxley named]# cat /etc/rc.d/init.d/syslog | grep SYSLOG
# changed logging for chrooted named
#        SYSLOGD_OPTIONS="-m 0"
        SYSLOGD_OPTIONS="-a /var/chroot/dev/log -m 0"
        daemon syslogd $SYSLOGD_OPTIONS
[root@huxley named]#

# edit /etc/resolv/conf for new build and resolution
[root@huxley named]# cat /etc/resolv.conf
search skillsoft.com
nameserver 127.0.0.1
[root@huxley named]#

# make sure everything is right OWNER !
chown -R named:named /var/chroot

# use this script with RedHat 7.3 as I hacked it up to work with bind9*

#!/bin/bash
# modified by: Christopher M Downs
# NEW DNS Bind 9 servers running in chroot enviroment.
# /var/chroot/named
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0

[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named

# NOTE CHROOT
# modified for chroot enviroment
[ -f /var/chroot/usr/sbin/named ] || exit 0
#[ -f /usr/sbin/named ] || exit 0
[ -f /var/chroot/etc/named.conf ] || exit 0
#[ -f ${ROOTDIR}/etc/named.conf ] || exit 0

RETVAL=0
prog="named"

start() {
        # Start daemons.
        echo -n "Starting /var/chroot/named: "
        /var/chroot/usr/sbin/named -u named -t /var/chroot
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
        sleep 5
        echo -e " Done\r"
        return $RETVAL
}
stop() {
        # Stop daemons.
echo -n $"Stopping $prog: "
        killproc named
        RETVAL=$?
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
        echo
        return $RETVAL
}
rhstatus() {
        /usr/sbin/rndc status
        return $?
}
restart() {
        stop
        start
}
reload() {
        /usr/sbin/rndc reload >/dev/null 2>&1 || /usr/bin/killall -HUP named
        return $?
}
probe() {
        # named knows how to reload intelligently; we don't want linuxconf
        # to offer to restart every time
        /usr/sbin/rndc reload >/dev/null 2>&1 || echo start
 return $?
}

# See how we were called.
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        status)
                rhstatus
                ;;
        restart)
                restart
                ;;
        condrestart)
                [ -f /var/lock/subsys/named ] && restart
                ;;
        reload)
                reload
                ;;
        probe)
                probe
                ;;
        *)
                echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|probe}"
                exit 1
esac

exit $?

# thought you were done didnt you ??? Nope time to patch that kernel

cd /usr/src
wget http://www.grsecurity.net/grsecurity-1.9.7d-2.4.19.patch
wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.gz
tar -zxvf linux-2.4.19.tar.gz
ln -sf linux-2.4.19 linux
cd linux
patch -p1 </usr/src/grsecurity-1.9.7d-2.4.19.patch
make mrproper
make menuconfig

# at this point you want to configure your kernel and make sure you ENABLE "HIGH SECURITY" on the
grsecurity section...

make dep && make clean && make install && make modules modules_install

# when this is done do:
vi /etc/grub.conf and change the default to 0 and timeout to 5 sconds.
----------- snip -------------
#boot=/dev/cciss/c0d0
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.4.19-grsec)
        root (hd0,0)
        kernel /vmlinuz-2.4.19-grsec ro root=/dev/cciss/c0d0p7
------------------------------

# time to reboot with a nice new shiny kernel
shutdown -r +1 &
exit

# Now that we are running on the new kernel lets start named
# start named up
[root@asimov named]# /etc/rc.d/init.d/./named start
Starting /var/chroot/named:  Done
[root@asimov named]# ps aux | grep named
named     8787  0.0  0.2 10472 2484 ?        S    19:18   0:00 /var/chroot/usr/s
named     8789  0.0  0.2 10472 2484 ?        S    19:18   0:00 /var/chroot/usr/s
named     8791  0.1  0.2 10472 2484 ?        S    19:18   0:00 /var/chroot/usr/s
named     8792  0.0  0.2 10472 2484 ?        S    19:18   0:00 /var/chroot/usr/s
named     8793  0.0  0.2 10472 2484 ?        S    19:18   0:00 /var/chroot/usr/s
[root@asimov named]# /etc/rc.d/init.d/./named stop
Stopping named:                                            [  OK  ]
[root@asimov named]#

# lets make sure named starts up by itself at next boot
chkconfig named on

# Note: if you see what is above you have done things right and you should go have a beer or something, time to celebrate !

# more information in compiling a kernel can be found at

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/ch-custom-kernel.html
# NOTE RedHat does not support custom kernel just FYI....

# more information about making bind work the cheesy GUI way, YUK 

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/ch-bindconf.html

# bind website

http://www.isc.org/