21.7. The syslog daemon

We must tell syslogd the syslog daemon program about the new chrooted service, since normally, processes talk to syslogd through /dev/log. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to /chroot/named/dev/log instead of the default dev/log. To do this, edit the syslog startup script file to specify additional places to listen.

Edit the syslog script file vi +24 /etc/rc.d/init.d/syslog and change the line:

 daemon syslogd -m 0
 
To read:

 daemon syslogd -m 0 -a /chroot/named/dev/log
 

The default named script file of ISC BIND/DNS starts the daemon named outside the chroot jail. We must change it to start named from the chroot jail. Edit the named script file vi /etc/rc.d/init.d/named and change the lines:

  1. 
 [ -f /usr/sbin/named ] || exit 0
     
    To read:
    
 [ -f /chroot/named/usr/sbin/named ] || exit 0
     

  2. 
 [ -f /etc/named.conf ] || exit 0
     
    To read:
    
 [ -f /chroot/named/etc/named.conf ] || exit 0
     

  3. 
 daemon named
     
    To read:
    
 daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
     

The -t

option tells named to start up using the new chroot environment.

The -u

option specifies the user to run as.

The -g

option specifies the group to run as.

In BIND 8.2 version, the ndc command of ISC BIND/DNS software became a binary file; before, it was a script file, which renders the shipped ndc useless in this setting. To fix it, the ISC BIND/DNS package must be compiled again from source. To do this, in the top level of ISC BIND/DNS source directory.

  1. For ndc utility:
    
 [root@deep] /# cp bind-src.tar.gz /vat/tmp
     [root@deep] /# cd /var/tmp/
     [root@deep ]/tmp# tar xzpf bind-src.tar.gz
     [root@deep ]/tmp# cd src
     [root@deep ]/src# cp port/linux/Makefile.set port/linux/Makefile.set-orig
     

  2. Edit the Makefile.set file, vi port/linux/Makefile.set to make the changes listed below:
    
 'CC=egcs -D_GNU_SOURCE'
     'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -g
     'DESTBIN=/usr/bin'
     'DESTSBIN=/chroot/named/usr/sbin'
     'DESTEXEC=/chroot/named/usr/sbin'
     'DESTMAN=/usr/man'
     'DESTHELP=/usr/lib'
     'DESTETC=/etc'
     'DESTRUN=/chroot/named/var/run'
     'DESTLIB=/usr/lib/bind/lib'
     'DESTINC=/usr/lib/bind/include'
     'LEX=flex -8 -I'
     'YACC=yacc -d'
     'SYSLIBS=-lfl'
     'INSTALL=install'
     'MANDIR=man'
     'MANROFF=cat'
     'CATEXT=$$N'
     'PS=ps p'
     'AR=ar crus'
     'RANLIB=:'
      

  3. The difference between the Makefile we used before and this one is that we modify the DESTSBIN=, DESTEXEC=, and DESTRUN= lines to point to the chrooted directory of BIND/DNS. With this modification, the ndc program knows where to find named.
     
     [root@deep ]/src# make clean
     [root@deep ]/src# make
     [root@deep ]/src# cp bin/ndc/ndc /usr/sbin/
     [root@deep ]/src# cp: overwrite `/usr/sbin/ndc'? y
     [root@deep ]/src# strip /usr/sbin/ndc 
     
    We build the binary file, then copy the result of ndc program to /usr/sbin and overwrite the old one. We dont forget to strip our new ndc binary for better performance.