Wednesday, December 15, 2010

How to chroot bind9 in Debian

Here are few simple steps to chroot bind9 in debian squeeze. 
#!/bin/bash
/etc/init.d/bind9 stop
mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run}
chown -R bind:bind /var/chroot/bind9/var/*
mknod /var/chroot/bind9/dev/null c 1 3
mknod /var/chroot/bind9/dev/random c 1 8
chmod 666 /var/chroot/bind9/dev/{null,random}
mv /etc/bind /var/chroot/bind9/etc
ln -s /var/chroot/bind9/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
echo "\$AddUnixListenSocket /var/chroot/bind9/dev/log" > /etc/rsyslog.d/bind-chroot.conf
Switch bind9 to use the chroot (file /etc/default/bind9): 
OPTIONS="-u bind -t /var/chroot/bind9"
Finally restart rsyslogd and start bind9. 
/etc/init.d/rsyslog restart ; /etc/init.d/bind9 start
You can download script from here.
Posted by Andriy Kornatskyy at 10:30 PM
Labels: , ,

7 comments :

  1. AnonymousMarch 29, 2011 at 3:22 PM

    Thanks, you made my day

    ReplyDelete
  2. AnonymousApril 29, 2011 at 5:59 AM

    Sencillamente, muchas gracias por compartir tu conocimiento.

    Silvino Paredes
    Guadalajara, Jal. México

    ReplyDelete
  3. AnonymousJuly 15, 2011 at 11:32 AM

    The line echo "$AddUnixListenSocket /var/chroot/bind9/dev/log" > /etc/rsyslog.d/bind-chroot.conf does not work quite correctly, as it doesn't add $AddUnixListenSocket to the file.

    If you add a \ before $AddUnixListenSocket it works:
    echo "\$AddUnixListenSocket /var/chroot/bind9/dev/log" > /etc/rsyslog.d/bind-chroot.conf

    Otherwise, thank you very much for a very good guide!

    ReplyDelete
  4. ArnaudAugust 12, 2011 at 2:40 AM

    thanks very much for this blog post, the debian wiki page is misleading :/

    ReplyDelete
  5. Karel BlumentritMarch 2, 2012 at 10:55 AM

    in Wheezy it is the same procedure, but as of version 1:9.8.1.df you will get following Error: initializing DST: openssl failure

    You have do the following:

    mkdir -p /var/chroot/bind9/usr/lib/i386-linux-gnu
    cd /var/chroot/bind9/usr/lib/i386-linux-gnu
    cp -R /var/lib/i386-linux-gnu/openssl-1.0.0 .

    This is becouse of the DNSSEC Update in the Bind9, after you copied the OpenSSL libraries into the chroot filetree it should work again.

    ReplyDelete
  6. AnonymousDecember 15, 2012 at 5:43 PM

    On Ubuntu 12.04 LTS 64 bit:
    Karel Blumentrit's solution reads:

    mkdir -p /var/chroot/bind9/usr/lib/x86_64-linux-gnu
    cd /var/chroot/bind9/usr/lib/x86_64-linux-gnu
    cp -R /usr/lib/x86_64-linux-gnu/openssl-1.0.0 .

    thank you

    ReplyDelete
  7. AnonymousFebruary 2, 2013 at 12:05 PM

    good old apparmor eh ...
    "apparmor="DENIED" operation="open" parent=2528 profile="/usr/sbin/named" name="/var/chroot/bind9/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so" pid=2529 comm="named" requested_mask="r" denied_mask="r" fsuid=105 ouid=0"

    something like the following seems to work:
    vim /etc/apparmor.d/usr.sbin.named

    /var/chroot/bind9/etc/bind/** r,
    /var/chroot/bind9/var/lib/bind/** rw,
    /var/chroot/bind9/var/lib/bind/ rw,
    /var/chroot/bind9/var/cache/bind/** rw,
    /var/chroot/bind9/var/cache/bind/ rw,
    /var/chroot/bind9/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so mr,

    *do a little dance*
    /etc/init.d/apparmor restart; /etc/init.d/rsyslog restart ; /etc/init.d/bind9 start


    ReplyDelete

Subscribe to: Post Comments ( Atom )