Bound.sh v0.1 is a shell script for setting up chrooted Bind on FreeBSD - Needs minor tweaks to get it to work under linux.
93b0d638f3ca4b7c2aeba6c1d50e97193bf9c64e70311028b5ebe5c5e3136549
############################################
#
# Bound.sh Lazy Mans Jailed Bind v.1
# Figured I'd concoct a script to automate
# the chroot'ed Bind since all these issues
# came out surrounding the insecurity of
# Bind and not too many people are familiar
# with chroot and implementing a jailed
# scenario. This script was tested on my
# FreeBSD 4.1 workstation and needed some
# minor tweaks to get it running on Linux.
# For those who don't want to switch to the
# more secure OpenBSD or Immunix (for Linux)
# you should look into using the SecureBSD
# patches for FreeBSD
# sil@antioffline.sold.me.down.the.river.org
#
############################################
umask 022
setenv PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/home
home=/usr/home/dns/
pass=$home/etc/passwd
shad=$home/etc/shadow
mast=$home/etc/master.passwd
user="named:x:24680:24680:Jailed Bind v9:/:/sbin/nologin"
echo1="printf "\n" ; # Lazy way to add newlines *shrug*
echo2=`printf "\n\n" ;
echo "Bound is a lazy man's set up script for chrooting Bind"
echo "sil@antioffline.com http://www.antioffline.com"
echo "AntiOffline -- Removing the dot in dot.com"
echo "Beginning Bound v.1" ; echo " " ; echo " "
echo "Checking to see if directory exists"
$echo2
if [ -e /usr/home ] ; then
echo "Directory is there lets get the sys in order"
cd $home
cat > dirlist.tmp << EOF
dev
etc
lib
usr
var
EOF
echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1
for i in `cat dirlist` ; do mkdir $home/$i ; done
cat > subdirlist.tmp << EOF
usr/share
usr/share/zoneinfo
usr/local
usr/local/lib
var/run
var/log
var/named
EOF
for i in `cat subdirlist.tmp` ; do mkdir $i ; done
echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1
cat > duplicate.tmp << EOF
/etc/syslog.conf
/etc/netconfig
/etc/nsswitch.conf
/etc/resolv.conf
/etc/TIMEZONE
EOF
echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1
for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done
echo "Done" ; $echo1
else
echo "Directory is there lets get the sys in order" ; $echo1
mkdir /usr/home/ ; cd $home
cat > dirlist.tmp << EOF
dev
etc
lib
usr
var
EOF
echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1
for i in `cat dirlist` ; do mkdir $home/$i ; done
cat > subdirlist.tmp << EOF
usr/share
usr/share/zoneinfo
usr/local
usr/local/lib
var/run
var/log
var/named
EOF
echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1
for i in `cat subdirlist.tmp` ; do mkdir $i ; done
cat > duplicate.tmp << EOF
/etc/syslog.conf
/etc/netconfig
/etc/nsswitch
/etc/resolv.conf
/etc/TIMEZONE
EOF
echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1
for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done
echo "Done" ; $echo
fi
cat $user >> $pass
echo "Adding $user to $pass" ; $echo1
if [ -e $shad ] ; then
echo $user >> $shad
else
echo "Adding $user to $mast"; $echo1
echo $user >> $mast
echo "$user added to $pass" ; $echo1
fi
echo "Making necessary files in $home/dev/
cd $home/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
chmod 666 null
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog
echo "Done" ; $echo1
# Uncomment this to go get the latest version of Bind
# if you don't have it on your machine already.
# if [ -e $fetch ] ; then
# $fetch ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz
# else
# $wget ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz
# else
# echo "Manually download Bind from ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz"
# echo " "
# fi
# echo "Now configure and compile bind here"
echo "Fixing permissions in $home" ; $echo1
cd $home
chmod -R g-w var;
chmod -R a-w opt usr
chmod g+w var/run var/log
chgrp named var/log var/run;
touch var/log/all.log var/run/named.pid;
chown named.named var/log/all.log var/run/named.pid;
chgrp named $jail/usr/local/etc;
chown root.named $jail/usr/local/etc/named.conf;
find . -type f -exec chmod ug-s {} \;
echo "Done, compile Bind in $home then"
echo "run with the follwing syntax"
echo "/usr/sbin/chroot /usr/home/dns /usr/local/sbin/named -u named"
echo "Concocted with some settings from an article posted by Sean Boran"
echo "http://www.boran.com"