Fw: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)
Matthew Seaman
m.seaman at infracaninophile.co.uk
Wed Nov 13 12:15:25 GMT 2002
On Wed, Nov 13, 2002 at 10:56:42AM +0000, Lou Kamenov wrote:
> In some email I received from Lou Kamenov <lou.kamenov at aeye.net> on Wed,
> 13 Nov 2002 10:49:56 +0000 :
>
> --everybody that uses bind with Round Robin should chroot it.
> ++everybody should chroot it.
Absolutely. I found it was a lot easier to set up a chroot bind with
bind 9 --- since there's no separate named-xfer binary, you don't need
to muck about with generating static executables, and you can just
install the bind-9.2.1 port under the default /usr/local rather than
inside your chroot area.
There are quite a few tutorials about how to set up a chroot bind
around the net, but here in short is what I found necessary in order
to get a chroot'ed bind 9.2.1 working under /var/named:
portinstall net/bind9
echo 'named_enable="YES"' >> /etc/rc.conf
echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf
echo 'named_flags="-c /etc/namedb/named.conf -u bind -t /var/named" \
>> /etc/rc.conf
echo syslogd_flags="-ss -l /var/named/var/run/log" >> /etc/rc.conf
mkdir -p /var/named/{dev,etc/namedb,var/run}
mkdir -p /var/named/etc/namedb/{p,s,dump}
chown bind:bind /var/named/etc/namedb/{s,dump} /var/named/var/run
cd /var/named/dev
cp /dev/MAKEDEV .
sh ./MAKEDEV std
rm -rf fd console kmem mem io klog pci
[ That should leave just null, random, stderr, stdin, stdout, tty
urandom and zero --- some of those are probably superfluous too]
cd /var/named/etc
cp /etc/localtime localtime
cd /var/named/etc/namedb
cp /etc/namedb.{conf,root} .
Copy zone files -- I use /var/named/etc/namedb/p for zones I'm the
master (primary) of, and /var/named/etc/namedb/s for zones I
secondary, and /var/named/etc/namedb/dump for cache dumps and
statistics. Don't forget the localhost stuff. Edit named.conf
accordingly --- since we're going to be running chroot'ed you want
options {
directory "/etc/namedb";
[...]
};
And it's a good idea to run
/usr/local/sbin/rndc-confgen > /usr/local/etc/rndc.conf
and edit the commented out stuff it generates at the end of that file
into named.conf.
Kill and restart syslogd with the new flags, then kill the old named
and fire up new one::
/usr/local/sbin/named -c /etc/namedb/named.conf -u bind -t /var/named
Check for errors in /var/log/messages. Fix. Restart. etc.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
More information about the Ukfreebsd
mailing list