[ zurück ] [ Inhalt ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ weiter ]

Anleitung zum Absichern von Debian
Anhang E - Beispiel Skript, um die standard Installation von Bind zu ändern


Dieses Skript automatisiert die Prozedur, die standard Installation des Name-Server zu ändern, so dass er nicht als Superuser läuft. Benutzen Sie es vorsichtig, da es nicht ausreichend getestet wurde. Dieses Skript wird auch den User und die Gruppe für den Name-Server erstellen.

     #!/bin/sh
     # Change the default Debian bind configuration to have it run
     # with a non-root user and group.
     #
     # WARN: This script has not been tested throughly, please
     # verify the changes made to the INITD script
     
     # (c) 2002 Javier Fernandez-Sanguino Peña
     #
     #    This program is free software; you can redistribute it and/or modify
     #    it under the terms of the GNU General Public License as published by
     #    the Free Software Foundation; either version 1, or (at your option)
     #    any later version.
     #
     #    This program is distributed in the hope that it will be useful,
     #    but WITHOUT ANY WARRANTY; without even the implied warranty of
     #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     #    GNU General Public License for more details.
     #
     #     Please see the file `COPYING' for the complete copyright notice.
     #
     
     restore() {
     # Just in case, restore the system if the changes fail
     	echo "WARN: Restoring to the previous setup since I'm unable to properly change it."
     	echo "WARN: Please check the $INITDERR script."
     	mv $INITD $INITDERR
     	cp $INITDBAK $INITD
     }
     
     
     USER=named
     GROUP=named
     INITD=/etc/init.d/bind
     INITDBAK=$INITD.preuserchange
     INITDERR=$INITD.changeerror
     START="start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g $GROUP -u $USER"
     AWKS="awk ' /start-stop-daemon --start/ { print \"$START\"; noprint = 1; }; /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '"
     
     [ `id -u` -ne 0 ] && {
     	echo "This program must be run by the root user"
     	exit 1
     }
     
     RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d " "`
     
     if [ "$RUNUSER" = "$USER" ] 
     then
     	echo "WARN: The name server running daemon is already running as $USER"
     	echo "ERR:  This script will not many any changes to your setup."
     	exit 1
     fi
     if [ ! -f $INITD ]
     then
             echo "ERR:  This system does not have $INITD (which this script tries to change)"
             RUNNING=`ps -eo fname |grep named`
              [ -z "$RUNNING" ] && \
     	    echo "ERR:  In fact the name server daemon is not even running (is it installed?)"
              echo "ERR:  No changes will be made to your system"
     	exit 1
     fi
     
     # Check if named group exists
     if [ -z "`grep $GROUP /etc/group`" ] 
     then
     	echo "Creating group $GROUP:"
     	addgroup $GROUP
     else
     	echo "WARN: Group $GROUP already exists. Will not create it"
     fi
     # Same for the user
     if [ -z "`grep $USER /etc/passwd`" ] 
     then
     	echo "Creating user $USER:"
     	adduser --system --home /home/$USER \
     	--no-create-home --ingroup $GROUP \
     	--disabled-password --disabled-login $USER
     else
     	echo "WARN: The user $USER already exists. Will not create it"
     fi
     
     # Change the init.d script
     
     # First make a backup (check that there is not already
     # one there first)
     if [ ! -f $INITDBAK ] 
     then
     	cp $INITD $INITDBAK
     fi
     
     # Then use it to change it
     cat $INITDBAK |
     eval $AWKS > $INITD
     
     echo "WARN: The script $INITD has been changed, trying to test the changes."
     echo "Restarting the named daemon (check for errors here)."
     
     $INITD restart
     if [ $? -ne 0 ] 
     then
     	echo "ERR:  Failed to restart the daemon."
     	restore
     	exit 1
     fi
     
     RUNNING=`ps -eo fname |grep named`
     if [ -z "$RUNNING" ] 
     then
     	echo "ERR:  Named is not running, probably due to a problem with the changes."
     	restore
     	exit 1
     fi
     
     # Check if it's running as expected
     RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d " "`
     
     if [ "$RUNUSER" = "$USER" ] 
     then
     	echo "All has gone well, named seems to be running now as $USER."
     else
     	echo "ERR:  The script failed to automatically change the system."
     	echo "ERR:  Named is currently running as $RUNUSER."
     	restore
     	exit 1
     fi
     
     exit 0

Dieses Skript, angesetzt auf Woodys (Debian 3.0) angepassten Bind wird die folgende initd-Datei erstellen, nachdem der User und die Gruppe "named" erstellt wurde:

     #!/bin/sh
     
     PATH=/sbin:/bin:/usr/sbin:/usr/bin
     
     test -x /usr/sbin/named || exit 0
     
     start () {
     	echo -n "Starting domain name service: named"
     	start-stop-daemon --start --quiet \
     	    --pidfile /var/run/named.pid --exec /usr/sbin/named 
     	echo "."	
     }
     
     stop () {
     	echo -n "Stopping domain name service: named"
     	# --exec doesn't catch daemons running deleted instances of named,
     	# as in an upgrade.  Fortunately, --pidfile is only going to hit
     	# things from the pidfile.
     	start-stop-daemon --stop --quiet  \
     	    --pidfile /var/run/named.pid --name named
     	echo "."	
     }
     
     case "$1" in
         start)
     	start
         ;;
     
         stop)
     	stop
         ;;
     
         restart|force-reload)
     	stop
     	sleep 2
     	start
         ;;
         
         reload)
     	/usr/sbin/ndc reload
         ;;
     
         *)
     	echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
     	exit 1
         ;;
     esac
     
     exit 0

[ zurück ] [ Inhalt ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ weiter ]

Anleitung zum Absichern von Debian

Version: 2.5 (beta), Fri, 03 Dec 2004 23:31:52 +0000

Javier Fernández-Sanguino Peña jfs@debian.org