using ports/net/bind8 with chroot
Baby Peanut
root directory for a process and it's children to a new location in
the filesystem. It's purpose is to limit access to the filesystem to
provide enhanced security. If a program is subverted it will not be
able to alter files outside the chroot part of the filesystem.
chroot(2) and chroot(8) both have man pages for more details.
Using BIND from ports not core makes it possible to upgrade the
nameserver without rebuilding the entire OS provided that the OS
version is not too far out-of-date. You only need to run cvsup on the
ports tree. Using "pkgdb -F" and "portupgrade" is highly recommended.
See the ports/sysutils/portupgrade port. I used bind-8.3.4 so you
should run cvsup on the ports tree before following these
instructions.
By using BIND from ports you can upgrade the nameserver without
rebooting. If you are upgrading from a previous installation of BIND
from ports then only a momentary outage from when you rip the old
package out using pkg_delete and install the new one with "make
reinstall" occurs for the command like dig and host, etc. Only a very
brief outage occurs between stopping the old nameserver and starting
the new one.
In this example I use /usr/chroot/named as the new root directory for
named(8) and named-xfer(8), etc. You must create that directory. You
can import your existing /etc/namedb via
# mkdir -p /usr/chroot/named/var/run
# cd /
# find /etc/namedb -depth -print | cpio -pdumv /usr/chroot/named
If your BIND is old you will need to import /etc/named.conf. Newer
versions of BIND store that as /etc/namedb/named.conf so the previous
step will be enough, otherwise
# cd /etc
# echo named.conf | cpio -pvudm /usr/chroot/named/etc/namedb
You must also add some device special files to the chroot
# mkdir /usr/chroot/named/dev
# cd /dev
# echo null | cpio -pdumv /usr/chroot/named/dev
# cd /usr/chroot/named/dev
# ln -s /var/run/log
Add the timezone information
# cp -p /etc/localtime /usr/chroot/named/etc
You must also add
named_program="/usr/chroot/named/usr/sbin/named"
named_flags="-u bind -g bind -t /usr/chroot/named"
to /etc/rc.conf in addtion to the usual
named_enable="YES"
To get syslogd to work you need to add
# interface syslogd to the named chroot "jail"
syslogd_flags="-s -l /usr/chroot/named/var/run/log"
to /etc/rc.conf
Since we do not want BIND from the core OS to overwrite our work add
"NO_BIND= true" to /etc/make.conf
Starting with no ports/net/bind8/work directory
# cd /usr/ports/net/bind8
# make clean
Now download the source if you haven't already and unarchive it and
apply the patches that are supplied by the ports tree while insisting
that the port replace the standard nameserver and tools instead of
being installed under /usr/local all with one command:
# make PORT_REPLACES_BASE_BIND8= patch
Add option to do static linking to the Makefiles via
# echo "'LDFLAGS=-static'" >> work/src/port/freebsd/Makefile.set
(note that single quotes inside of double quotes are used)
In ports/net/bind8 now run
# make PORT_REPLACES_BASE_BIND8=
Patch ndc so that all occurances of "/usr" (w.o/"chroot") to
"/usr/chroot/named" using a text editor. You can save these changes with
# diff -u pathnames.h.orig pathnames.h > ~/ndc.pathnames.h.udiff
and try to apply them to a future release with
# patch < ~/ndc.pathnames.h.udiff
# cd work/src/bin/ndc
# vi pathnames.h
(any text editor will do)
Once the pathnames.h is converted to /usr/chroot/named rebuild ndc:
# rm ndc.o
# make
If you are upgrading from a previous version of BIND from ports then
remove the old port. Locate it with "pkg_info | grep bind"
# pkg_info | grep bind
bind-base-8.3.4 The Berkeley Internet Name Daemon, an implementation of DNS
and feed the name from the first column of output back into pkg_delete
# pkg_delete bind-base-8.3.4
Now install the new tools and server into the /usr (but not
/usr/chroot yet) filesystem.
# cd /usr/ports/net/bind8
# make PORT_REPLACES_BASE_BIND8= install
Copy /usr/sbin/named to /usr/chroot/named/usr/sbin/named
# mkdir -p /usr/chroot/named/usr/sbin
# cp /usr/sbin/named /usr/chroot/named/usr/sbin/named
Copy /usr/libexec/named-xfer to /usr/chroot/named/usr/libexec/named-xfer
# mkdir -p /usr/chroot/named/usr/libexec
# cp /usr/libexec/named-xfer /usr/chroot/named/usr/libexec/named-xfer
Restart named to run the new version.
# killall syslogd
# /usr/sbin/syslogd -s -l /usr/chroot/named/var/run/log
# killall named
# /usr/chroot/named/usr/sbin/named -u bind -g bind -t /usr/chroot/named
Unfortuately, ndc does not want to co-operate completely.
"ndc status", "ndc restart" and "ndc stop" will work but once stopped
"ndc start" will not function.
Why? Because ndc does not look in /etc/rc.conf for the named_flags= bits.
# ktrace ndc start
# kdump | grep rc.conf
This is clearly a bug in FreeBSD.