named.jail(4)named.jail(4)NAMEnamed.jail - instruction to create a named jail environment
CONFIGURING A NAMED JAIL
named server can be configured to run in a chroot'ed environement.
Command-line flags -u and -t are used to define this environment. Before
using those flags, a setup is necessary.
NOTE: the notation below is for csh users, ie. ~named is defined as the
home of named account. sh users should use the appropriate full pathname.
~named Create an account named ( with group named ). Account should
not have a shell, ie. should be "/bin/false". NOTE: it is not
recommended to make the home directory of named account inside
/var/named. Make the home directory owned by ``root'' and
unwritable by anyone (mode 555 - see chmod(1)):
mkdir -m 555 ~named
chown root ~named
chmod a-w ~named
~named/etc
Make this directory owned by the super-user and unwritable by
anyone (mode 555).
mkdir -m 555 ~named/etc
~named/dev
Make this directory owned by the super-user and unwritable by
anyone (mode 555). named uses /dev/urandom, so use mknod(1) to
make a copy of /dev/random in ~named/dev with the same major
and minor device numbers. Make /dev/zero read-only (mode 444).
mkdir -m 555 ~named/dev
mknod ~named/dev/random c 39 0
mknod ~named/dev/urandom c 39 0
chmod 444 ~named/dev/*random
~named/var
Make this directory owned by named ( or super-user ) and
unwritable by anyone (mode 555). Also create additional "tmp"
and "run" directories.
mkdir -m 555 -p ~named/var
mkdir -m 755 -p ~named/var/tmp
mkdir -m 755 -p ~named/var/run
chown -R named.named ~named/var
Page 1
named.jail(4)named.jail(4)
~named/var/named
Make this directory owned by named ( or super-user ) and
unwritable by anyone (mode 555). Then copy or create all the
configuration files into this directory.
mkdir -m 555 -p ~named/var/named
NOTE: if any zone require supporting dynamic update, use 755 permission instead of 555.
cp -p /etc/named.boot ~named/etc/
chown named.named ~named/etc/named.boot
cp -pR /var/named ~named/var
(cd ~named/var/named ; ln -sf ../../etc/named.boot named.boot )
touch ~named/var/named/named.stats
touch ~named/var/named/named_dump.db
chmod 644 ~named/var/named/named.stats ~named/var/named/named_dump.db
chown -R named.named ~named/var/named/
NOTE: If you plan to run a secondary name server with a backup
directory, please create the necessary directory
infrastructure.
Once the above setup is done, the server can be started as:
(1) /usr/sbin/named -t PATH_TO_NAMED -u named -p 53
This start a chroot'ed named from PATH_TO_NAMED directory and
will run as named user. It is listening on port 53 and forward
request to port 53.
(2) /usr/sbin/named -t PATH_TO_NAMED -u named -p 12012
This start a chroot'ed named from PATH_TO_NAMED directory and
will run as named user. It is listening on port 12012 and
forward request to port 53.
NOTE: use 'nslookup -port=12012' to query above setup.
Page 2
