Dieses Skript automatisiert die Prozedur, die Standard-Installation des
Name-Servers bind
zu ändern, so dass er nicht als
Superuser läuft. Es wird auch den Nutzer und die Gruppe für den Name-Server
erstellen. Benutzen Sie es äußerst vorsichtig, da es nicht ausreichend
getestet wurde.
#!/bin/sh # Change the default Debian bind configuration to have it run # with a non-root user and group. # # WARN: This script has not been tested thoroughly, please # verify the changes made to the INITD script # (c) 2002 Javier Fernández-Sanguino Peña # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Please see the file `COPYING' for the complete copyright notice. # restore() { # Just in case, restore the system if the changes fail echo "WARN: Restoring to the previous setup since I'm unable to properly change it." echo "WARN: Please check the $INITDERR script." mv $INITD $INITDERR cp $INITDBAK $INITD } USER=named GROUP=named INITD=/etc/init.d/bind INITDBAK=$INITD.preuserchange INITDERR=$INITD.changeerror START="start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g $GROUP -u $USER" AWKS="awk ' /start-stop-daemon --start/ { print \"$START\"; noprint = 1; }; /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '" [ `id -u` -ne 0 ] && { echo "This program must be run by the root user" exit 1 } RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "WARN: The name server running daemon is already running as $USER" echo "ERR: This script will not many any changes to your setup." exit 1 fi if [ ! -f $INITD ] then echo "ERR: This system does not have $INITD (which this script tries to change)" RUNNING=`ps eo fname |grep named` [ -z "$RUNNING" ] && \ echo "ERR: In fact the name server daemon is not even running (is it installed?)" echo "ERR: No changes will be made to your system" exit 1 fi # Check if named group exists if [ -z "`grep $GROUP /etc/group`" ] then echo "Creating group $GROUP:" addgroup $GROUP else echo "WARN: Group $GROUP already exists. Will not create it" fi # Same for the user if [ -z "`grep $USER /etc/passwd`" ] then echo "Creating user $USER:" adduser --system --home /home/$USER \ --no-create-home --ingroup $GROUP \ --disabled-password --disabled-login $USER else echo "WARN: The user $USER already exists. Will not create it" fi # Change the init.d script # First make a backup (check that there is not already # one there first) if [ ! -f $INITDBAK ] then cp $INITD $INITDBAK fi # Then use it to change it cat $INITDBAK | eval $AWKS > $INITD echo "WARN: The script $INITD has been changed, trying to test the changes." echo "Restarting the named daemon (check for errors here)." $INITD restart if [ $? -ne 0 ] then echo "ERR: Failed to restart the daemon." restore exit 1 fi RUNNING=`ps eo fname |grep named` if [ -z "$RUNNING" ] then echo "ERR: Named is not running, probably due to a problem with the changes." restore exit 1 fi # Check if it's running as expected RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "All has gone well, named seems to be running now as $USER." else echo "ERR: The script failed to automatically change the system." echo "ERR: Named is currently running as $RUNUSER." restore exit 1 fi exit 0
Dieses Skript, wenn es auf Woodys (Debian 3.0) angepassten Bind
angewendet wird, wird die folgende initd-Datei erstellen, nachdem der Nutzer
und die Gruppe "named" erstellt wurde:
#!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin test -x /usr/sbin/named || exit 0 start () { echo -n "Starting domain name service: named" start-stop-daemon --start --quiet \ --pidfile /var/run/named.pid --exec /usr/sbin/named echo "." } stop () { echo -n "Stopping domain name service: named" # --exec doesn't catch daemons running deleted instances of named, # as in an upgrade. Fortunately, --pidfile is only going to hit # things from the pidfile. start-stop-daemon --stop --quiet \ --pidfile /var/run/named.pid --name named echo "." } case "$1" in start) start ;; stop) stop ;; restart|force-reload) stop sleep 2 start ;; reload) /usr/sbin/ndc reload ;; *) echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2 exit 1 ;; esac exit 0
Anleitung zum Absichern von Debian
Version: 3.2, Mon, 20 Jun 2005 08:01:04 +0000jfs@debian.org