############################################ # # Bound.sh Lazy Mans Jailed Bind v.1 # Figured I'd concoct a script to automate # the chroot'ed Bind since all these issues # came out surrounding the insecurity of # Bind and not too many people are familiar # with chroot and implementing a jailed # scenario. This script was tested on my # FreeBSD 4.1 workstation and needed some # minor tweaks to get it running on Linux. # For those who don't want to switch to the # more secure OpenBSD or Immunix (for Linux) # you should look into using the SecureBSD # patches for FreeBSD # sil@antioffline.sold.me.down.the.river.org # ############################################ umask 022 setenv PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/home home=/usr/home/dns/ pass=$home/etc/passwd shad=$home/etc/shadow mast=$home/etc/master.passwd user="named:x:24680:24680:Jailed Bind v9:/:/sbin/nologin" echo1="printf "\n" ; # Lazy way to add newlines *shrug* echo2=`printf "\n\n" ; echo "Bound is a lazy man's set up script for chrooting Bind" echo "sil@antioffline.com http://www.antioffline.com" echo "AntiOffline -- Removing the dot in dot.com" echo "Beginning Bound v.1" ; echo " " ; echo " " echo "Checking to see if directory exists" $echo2 if [ -e /usr/home ] ; then echo "Directory is there lets get the sys in order" cd $home cat > dirlist.tmp << EOF dev etc lib usr var EOF echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1 for i in `cat dirlist` ; do mkdir $home/$i ; done cat > subdirlist.tmp << EOF usr/share usr/share/zoneinfo usr/local usr/local/lib var/run var/log var/named EOF for i in `cat subdirlist.tmp` ; do mkdir $i ; done echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1 cat > duplicate.tmp << EOF /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE EOF echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1 for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done echo "Done" ; $echo1 else echo "Directory is there lets get the sys in order" ; $echo1 mkdir /usr/home/ ; cd $home cat > dirlist.tmp << EOF dev etc lib usr var EOF echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1 for i in `cat dirlist` ; do mkdir $home/$i ; done cat > subdirlist.tmp << EOF usr/share usr/share/zoneinfo usr/local usr/local/lib var/run var/log var/named EOF echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1 for i in `cat subdirlist.tmp` ; do mkdir $i ; done cat > duplicate.tmp << EOF /etc/syslog.conf /etc/netconfig /etc/nsswitch /etc/resolv.conf /etc/TIMEZONE EOF echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1 for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done echo "Done" ; $echo fi cat $user >> $pass echo "Adding $user to $pass" ; $echo1 if [ -e $shad ] ; then echo $user >> $shad else echo "Adding $user to $mast"; $echo1 echo $user >> $mast echo "$user added to $pass" ; $echo1 fi echo "Making necessary files in $home/dev/ cd $home/dev mknod tcp c 11 42 mknod udp c 11 41 mknod log c 21 5 mknod null c 13 2 mknod zero c 13 12 chgrp sys null zero chmod 666 null mknod conslog c 21 0 mknod syscon c 0 0 chmod 620 syscon chgrp tty syscon chgrp sys conslog echo "Done" ; $echo1 # Uncomment this to go get the latest version of Bind # if you don't have it on your machine already. # if [ -e $fetch ] ; then # $fetch ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz # else # $wget ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz # else # echo "Manually download Bind from ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz" # echo " " # fi # echo "Now configure and compile bind here" echo "Fixing permissions in $home" ; $echo1 cd $home chmod -R g-w var; chmod -R a-w opt usr chmod g+w var/run var/log chgrp named var/log var/run; touch var/log/all.log var/run/named.pid; chown named.named var/log/all.log var/run/named.pid; chgrp named $jail/usr/local/etc; chown root.named $jail/usr/local/etc/named.conf; find . -type f -exec chmod ug-s {} \; echo "Done, compile Bind in $home then" echo "run with the follwing syntax" echo "/usr/sbin/chroot /usr/home/dns /usr/local/sbin/named -u named" echo "Concocted with some settings from an article posted by Sean Boran" echo "http://www.boran.com"