<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>Chroot-BIND HOWTO: jail $B$NMQ0U(B</TITLE> <LINK HREF="Chroot-BIND-HOWTO-3.html" REL=next> <LINK HREF="Chroot-BIND-HOWTO-1.html" REL=previous> <LINK HREF="Chroot-BIND-HOWTO.html#toc2" REL=contents> </HEAD> <BODY> <A HREF="Chroot-BIND-HOWTO-3.html">$B<!$N%Z!<%8(B</A> <A HREF="Chroot-BIND-HOWTO-1.html">$BA0$N%Z!<%8(B</A> <A HREF="Chroot-BIND-HOWTO.html#toc2">$BL\<!$X(B</A> <HR> <H2><A NAME="s2">2. jail $B$NMQ0U(B</A></H2> <H2><A NAME="ss2.1">2.1 $B%f!<%6$N:n@.(B</A> </H2> <P>$B!V$O$8$a$K!W$G=R$Y$?$h$&$K!"(B BIND $B$r(B root $B8"8B$G<B9T$9$k$N$O$"$^$jNI$$9M$($G$O$"$j$^$;$s!#(B $B=>$C$F!"$^$::G=i$K(B BIND $B@lMQ$N%f!<%6$r:n$j$^$7$g$&!#(B $B$3$NL\E*$K!"(B<CODE>nobody</CODE> $B$N$h$&$J4{B8$N0lHL8~$1%f!<%6$O!"(B $B7h$7$F;H$&$Y$-$G$O$"$j$^$;$s!#(B $B$7$+$7!"(BSuSE $B$d(B Linux Mandrake $B$J$I!"(B $B:G=i$+$i$3$N$?$a$N%f!<%6(B ($BIaDL(B <CODE>named</CODE> $B$H$$$&L>A0(B) $B$rMQ0U$7$F$$$k%G%#%9%H%j%S%e!<%7%g%s$b$"$k$N$G!"(B $B$=$N>l9g$O$*K>$_$J$i$3$N%f!<%6$rMQ$$$F$b9=$$$^$;$s!#(B <P>$B$5$F!"%f!<%6$rDI2C$9$k$K$O!"<!$N$h$&$J9T$r(B <CODE>/etc/passwd</CODE> $B$K2C$($^$9!#(B <BLOCKQUOTE><CODE> <PRE> named:x:200:200:Nameserver:/chroot/named:/bin/false </PRE> </CODE></BLOCKQUOTE> $B$=$7$F<!$N9T$r(B <CODE>/etc/group</CODE> $B$K2C$($^$9!#(B <BLOCKQUOTE><CODE> <PRE> named:x:200: </PRE> </CODE></BLOCKQUOTE> $B$3$l$G(B BIND $BMQ$N(B <CODE>named</CODE> $B$H$$$&%f!<%6$H%0%k!<%W$,$G$-$^$7$?!#(B UID $B$H(B GID ($B$3$NNc$G$ON>J}$H$b(B 200) $B$,!"(B $B$*;H$$$N%7%9%F%`$GB>$H=E$J$C$F$$$J$$$h$&$KCm0U$7$^$7$g$&!#(B $B$3$N%f!<%6$O%m%0%$%s$9$kI,MW$,$J$$$N$G!"(B $B%7%'%k$O(B <CODE>/bin/false</CODE> $B$K$7$F$"$j$^$9!#(B <P> <H2><A NAME="ss2.2">2.2 $B%G%#%l%/%H%j9=B$(B</A> </H2> <P>$B<!$K!"(Bchroot jail $B$K;HMQ$9$k%G%#%l%/%H%j9=B$$r:n$C$F$"$2$kI,MW$,$"$j$^$9!#(B $B$3$3$,(B BIND $B$N@83h$N>l$H$J$k$o$1$G$9!#(B $B$3$l$O%U%!%$%k%7%9%F%`$N$I$3$G$b9=$$$^$;$s!#(B $BHs>o$K?@7P<A$J?M$O!"FHN)$7$?%\%j%e!<%`(B ($B%Q!<%F%#%7%g%s(B) $B$KCV$-$?$$$H$5$(;W$&$+$b$7$l$^$;$s$M!#(B $B$3$3$G$O(B <CODE>/chroot/named</CODE> $B$r;H$$$^$9!#(B $B$^$:0J2<$N$h$&$J%G%#%l%/%H%j9=B$$r:n$C$F$/$@$5$$!#(B <P> <BLOCKQUOTE><CODE> <PRE> /chroot +-- named +-- dev +-- etc | +-- namedb | +-- slave +-- var +-- run </PRE> </CODE></BLOCKQUOTE> <P>(Linux $B%7%9%F%`$J$I$G(B) GNU $B$N(B <CODE>mkdir</CODE> $B$r;H$C$F$$$k?M$O!"(B $B<!$N$h$&$K$9$l$P$3$N%G%#%l%/%H%j9=B$$,:n$l$^$9!#(B <P> <BLOCKQUOTE><CODE> <PRE> # mkdir -p /chroot/named # cd /chroot/named # mkdir -p dev etc/namedb/slave var/run </PRE> </CODE></BLOCKQUOTE> <P> <H2><A NAME="ss2.3">2.3 BIND $B$N%G!<%?$rG[CV$9$k(B</A> </H2> <P>$B4{$KDL>o$N$+$?$A$G(B BIND $B$,%$%s%9%H!<%k$G$-$F$$$F!"(B $B$3$l$rMxMQ$7$F$$$k$J$i!"(B <CODE>named.conf</CODE> $B%U%!%$%k$H%>!<%s%U%!%$%k$,$"$k$O$:$G$9!#(B $B$3$l$i$N%U%!%$%k$O(B chroot jail $B$NCf$K0\F0(B ($B$"$k$$$O0BA4$K$d$k$J$i%3%T!<(B) $B$7$F!"(B BIND $B$+$i8+$($k$h$&$K$7$F$d$kI,MW$,$"$j$^$9!#(B <CODE>named.conf</CODE> $B$O(B <CODE>/chroot/named/etc</CODE> $B$X!"(B $B%>!<%s%U%!%$%k$O(B <CODE>/chroot/named/etc/namedb</CODE> $B$X0\F0$7$^$9!#(B $BNc$($P(B: <BLOCKQUOTE><CODE> <PRE> # cp -p /etc/named.conf /chroot/named/etc/ # cp -a /var/named/* /chroot/named/etc/namedb/ </PRE> </CODE></BLOCKQUOTE> <P>BIND $B$ODL>o(B <CODE>namedb</CODE> $B%G%#%l%/%H%j$X$N=q$-$3$_8"8B$rI,MW$H$7$^$9!#(B $B$7$+$7%;%-%e%j%F%#$r87$7$/$9$k$?$a$K!"$3$l$O5v$5$J$$$3$H$K$7$^$7$g$&!#(B $B$*;H$$$N(B DNS $B$,$"$k%>!<%s$r%9%l!<%V$G%5!<%S%9$9$k>l9g$O!"(B BIND $B$O$=$N%>!<%s%U%!%$%k$r99?7$G$-$J$1$l$P$J$j$^$;$s!#(B $B$9$J$o$A$3$l$i$N%U%!%$%k$K$OJL$N%G%#%l%/%H%j$KJ]B8$5$;$k$h$&$K$7$F!"(B $B$=$3$K(B BIND $B$+$i$N=q$-9~$_%"%/%;%9$r5v$9$+$?$A$K$7$^$9!#(B <BLOCKQUOTE><CODE> <PRE> # chown -R named:named /chroot/named/etc/namedb/slave </PRE> </CODE></BLOCKQUOTE> <P>$B$3$3$G!"%9%l!<%V%>!<%s$OA4It$3$N%G%#%l%/%H%j$K0\F0$9$k$N$rK:$l$J$$$3$H!#(B $B$^$?!"$=$l$K1~$8$F(B <CODE>named.conf</CODE> $B$NJQ99$bI,MW$K$J$j$^$9!#(B <P>BIND $B$O(B <CODE>/var/run</CODE> $B%G%#%l%/%H%j$X$b=q$-$3$_8"8B$rI,MW$H$7$^$9!#(B pid $B%U%!%$%k$HE}7W>pJs$r$3$3$K:n$k$+$i$G$9!#(B $B<!$N%3%^%s%I$G$3$l$r2DG=$K$7$F$d$j$^$7$g$&!#(B <BLOCKQUOTE><CODE> <PRE> # chown named:named /chroot/named/var/run </PRE> </CODE></BLOCKQUOTE> <P> <H2><A NAME="ss2.4">2.4 $B%7%9%F%`$N%5%]!<%H%U%!%$%k(B</A> </H2> <P>BIND $B$,(B chroot jail $BFbIt$G$N<B9T$r;O$a$k$H!"(B jail $B30It$N%U%!%$%k$X$O(B<B>$B0l@Z(B</B>$B%"%/%;%9$G$-$J$/$J$j$^$9!#(B $B$7$+$7!"$$$/$D$+$N=EMW$J%U%!%$%k$K$O<B9T8e$b%"%/%;%9$G$-$J$1$l$P(B $B$J$j$^$;$s!#$?$@$7(B BIND 8 $B$KHf$Y$k$H$@$$$V>/$J$$$G$9$,!#(B <P>BIND $B$,(B jail $B$NFbIt$KI,MW$H$9$k%U%!%$%k$N$R$H$D$K!"(B $B$$$D$b$N$"$l!"(B<CODE>/dev/null</CODE> $B$,$"$j$^$9!#(B $B$3$3$G!"$3$N%G%P%$%9%N!<%I$r:n$k$?$a$KI,MW$J%3%^%s%I$O(B $B%7%9%F%`$K$h$C$F0[$J$k$3$H$,$"$j$^$9!#(B <CODE>/dev/MAKEDEV</CODE> $B%9%/%j%W%H$rD4$Y$F3NG'$7$F$/$@$5$$!#(B $B%7%9%F%`$K$h$C$F$O(B <CODE>/dev/zero</CODE> $B$,I,MW$J$3$H$b$"$j$^$9!#(B BIND 9.2.0 $B%j%j!<%9M=DjHG$G$O!"(B <CODE>/dev/random</CODE> $B$,I,MW$@$H$$$&Js9p$b$"$j$^$9!#(B $B$[$H$s$I$N(B Linux $B%7%9%F%`$G$O!"0J2<$N%3%^%s%I$,;H$($^$9!#(B <BLOCKQUOTE><CODE> <PRE> # mknod /chroot/named/dev/null c 1 3 # mknod /chroot/named/dev/random c 1 8 # chmod 666 /chroot/named/dev/{null,random} </PRE> </CODE></BLOCKQUOTE> <P>FreeBSD 4.3 $B$G$O<!$N$h$&$K$J$j$^$9!#(B <BLOCKQUOTE><CODE> <PRE> # mknod /chroot/named/dev/null c 2 2 # mknod /chroot/named/dev/random c 2 3 # chmod 666 /chroot/named/dev/{null,random} </PRE> </CODE></BLOCKQUOTE> <P>$BB>$K$b(B jail $BFbIt$N(B <CODE>/etc</CODE> $B%G%#%l%/%H%j$KI,MW$J%U%!%$%k$,$"$j$^$9!#(B BIND $B$K@5$7$$;~9o$G%m%05-O?$r$5$;$k$K$O!"(B <CODE>/etc/localtime</CODE> ($B%7%9%F%`$K$h$C$F$O(B <CODE>/usr/lib/zoneinfo/localtime</CODE> $B$+$b$7$l$^$;$s(B) $B$r$3$3$K%3%T!<$9$kI,MW$,$"$j$^$9!#(B $B0J2<$N%3%^%s%I$,$3$NLLE]$r8+$F$/$l$^$9!#(B <BLOCKQUOTE><CODE> <PRE> # cp /etc/localtime /chroot/named/etc/ </PRE> </CODE></BLOCKQUOTE> <P> <H2><A NAME="logging"></A> <A NAME="ss2.5">2.5 $B%m%05-O?(B</A> </H2> <P>$BK\J*$N<|?M$H$O0[$J$j!"(BBIND $B$O%m%05-O?$rJI$K=q$/$3$H$O$G$-$^$;$s(B :-)$B!#(B $BDL>o(B BIND $B$O%m%0$r!"%7%9%F%`$N%m%.%s%0%G!<%b%s$G$"$k(B <CODE>syslogd</CODE> $B7PM3$G5-O?$7$^$9!#(B $B$3$N%?%$%W$N%m%05-O?$O!"FC<l$J%=%1%C%H$G$"$k(B <CODE>/dev/log</CODE> $B$rDL$7$F%m%0%(%s%H%j$rAw?.$9$k$3$H$G9T$o$l$^$9!#(B $B$7$+$7$3$l$O(B jail $B$N30It$K$"$j$^$9$+$i!"(BBIND $B$+$i$O;H$($^$;$s!#(B $B$G$b$"$j$,$?$$$3$H$K!"$3$l$r2r7h$9$kJ}K!$O$$$/$D$+B8:_$7$^$9!#(B <P> <H3>$BM}A[E*$J2r(B</H3> <P>$B$3$N%8%l%s%^$KBP$9$kM}A[E*$J2r7hK!$K$O!"(B OpenBSD $B$GF3F~$5$l$?(B <CODE>-a</CODE> $B%9%$%C%A$r%5%]!<%H$9$k!"(B $BHf3SE*?7$7$$%P!<%8%g%s$N(B <CODE>syslogd</CODE> $B$,I,MW$G$9!#(B <CODE>syslogd(8)</CODE> $B$N(B man $B%Z!<%8$r%A%'%C%/$7$F!"(B $B<+J,$N;H$C$F$$$k$N$,$3$l$+$I$&$+8+$F$/$@$5$$!#(B <P>$B%5%]!<%H$7$F$$$l$P!"(B<CODE>syslogd</CODE> $B$r5/F0$9$k:]$N%3%^%s%I%i%$%s$K(B ``<CODE>-a /chroot/named/dev/log</CODE>'' $B$rDI2C$9$k$@$1$G(B OK $B$G$9!#(B SysV-init $B$r$9$Y$F;H$C$F$$$k%7%9%F%`(B (Linux $B%G%#%9%H%j%S%e!<%7%g%s$N$[$H$s$I$O$=$&(B) $B$J$i!"(B $B5/F0$ODL>o(B <CODE>/etc/rc.d/init.d/syslog</CODE> $B%U%!%$%k$G$J$5$l$^$9!#(B $BNc$($P!";d$N(B Red Hat Linux $B%7%9%F%`$G$O!";d$O(B <BLOCKQUOTE><CODE> <PRE> daemon syslogd -m 0 </PRE> </CODE></BLOCKQUOTE> $B$N9T$r(B <BLOCKQUOTE><CODE> <PRE> daemon syslogd -m 0 -a /chroot/named/dev/log </PRE> </CODE></BLOCKQUOTE> $B$HJQ99$7$^$7$?!#(B <P>$BLLGr$$$3$H$K(B Red Hat 7.2 $B$G$O!"(B $B8+$?$H$3$m(B Red Hat $B$O$3$N=hM}$r$b$C$H4JC1$K$7$F$$$^$9!#(B $B8=:_$O(B <CODE>/etc/sysconfig/syslog</CODE> $B$H$$$&%U%!%$%k$,$"$j!"(B $B$3$3$K$O(B syslogd $B$KM>J,$KM?$($k%Q%i%a!<%?$rDj5A$G$-$k$N$G$9!#(B <P>Caldera OpenLinux $B%7%9%F%`$G$O(B <CODE>ssd</CODE> $B$H$$$&%G!<%b%s%i%s%A%c$r;H$C$F$*$j!"(B $B$3$l$O@_Dj$r(B <CODE>/etc/sysconfig/daemons/syslog</CODE> $B$+$iFI$_$^$9!#(B $B$3$NCf$N%*%W%7%g%s9T$r0J2<$N$h$&$K=$@5$9$k$@$1$G$9!#(B <BLOCKQUOTE><CODE> <PRE> OPTIONS_SYSLOGD="-m 0 -a /chroot/named/dev/log" </PRE> </CODE></BLOCKQUOTE> <P>$BF1MM$K(B SuSE $B%7%9%F%`$G$O!"(B $B$3$N%9%$%C%A$O(B <CODE>/etc/rc.config</CODE> $B%U%!%$%k$KDI2C$9$k$N$,NI$$$=$&$G$9!#(B <BLOCKQUOTE><CODE> <PRE> SYSLOGD_PARAMS="" </PRE> </CODE></BLOCKQUOTE> $B$H$$$&9T$r(B <BLOCKQUOTE><CODE> <PRE> SYSLOGD_PARAMS="-a /chroot/named/dev/log" </PRE> </CODE></BLOCKQUOTE> $B$H$9$l$P(B OK $B$G$9!#(B <P>$B$=$7$F:G8e$K(B ($B$H$$$C$F$b=EMW@-$N=g$G$O$J$$$G$9$h(B) FreeBSD 4.3 $B$G$O!"(B <CODE>rc.conf</CODE> $B%U%!%$%k$rJT=8$7$F<!$N9T$rDI2C$9$l$P$h$$$=$&$G$9!#(B <BLOCKQUOTE><CODE> <PRE> syslogd_flags="-s -l /chroot/named/dev/log" </PRE> </CODE></BLOCKQUOTE> <CODE>-s</CODE> $B$O%;%-%e%j%F%#>e$NLdBj$+$iM?$($k$b$N$G!"(B $B%G%U%)%k%H$N@_Dj$N0lIt$G$9!#(B <CODE>-l</CODE> $B$O!"JL$N%m%0%N!<%I$,CV$+$l$F$$$k%m!<%+%k$J%Q%9L>$G$9!#(B <P>$B!ZLuCm(B: Debian $B$J$i(B <CODE>/etc/init.d/syslogd</CODE> $B$N(B <BLOCKQUOTE><CODE> <PRE> SYSLOGD="" </PRE> </CODE></BLOCKQUOTE> $B$H$$$&9T$r(B <BLOCKQUOTE><CODE> <PRE> SYSLOGD="-a /chroot/named/dev/log" </PRE> </CODE></BLOCKQUOTE> $B$H$7$^$9!#![(B <P>$B$*;H$$$N%7%9%F%`$G$NJQ99J}K!$,$o$+$C$?$i!"(B <CODE>syslogd</CODE> $B$r:F5/F0$9$k$@$1$G$9!#(Bkill $B$7$F:F$S(B ($BDI2C%Q%i%a!<%?$H$H$b$K(B) $B5/F0$7$F$b$$$$$G$9$7!"(B SysV-init $B%9%/%j%W%H$r;H$C$F<!$N$h$&$K$9$k$N$G$bNI$$$G$7$g$&!#(B <BLOCKQUOTE><CODE> <PRE> # /etc/rc.d/init.d/syslog stop # /etc/rc.d/init.d/syslog start </PRE> </CODE></BLOCKQUOTE> <P>$B:F5/F0$G$-$?$i!"(B<CODE>/chroot/named/dev</CODE> $B$K(B $B0J2<$N$h$&$J(B <CODE>log</CODE> $B$H$$$&!V%U%!%$%k!W$,$G$-$F$$$k$O$:$G$9!#(B <P> <PRE> srw-rw-rw- 1 root root 0 Mar 13 20:58 log </PRE> <P> <H3>$BJL$N2r(B</H3> <P>$B8E$$(B <CODE>syslogd</CODE> $B$r;H$C$F$$$k>l9g$O!"(B $B%m%0$r<h$k$K$OJL$NJ}K!$r8+$D$1$J$1$l$P$J$j$^$;$s!#(B $BNc$($P(B <CODE>hoellogd</CODE> $B$N$h$&$J!"(B $B!V%W%m%-%7!W$H$7$FF0:n$9$k$h$&@_7W$5$l$F$$$k%W%m%0%i%`$bB8:_$7$^$9!#(B $B$3$l$O(B chroot $B$5$l$?(B BIND $B$+$i%m%0%(%s%H%j$r<u$1<h$j!"(B $B$=$l$rDL>o$N(B <CODE>/dev/log</CODE> $B%=%1%C%H$KEO$7$^$9!#(B <P>$B$"$k$$$O!"(BBIND $B$r@_Dj$7$F!"%m%0$r(B syslog $B$KAw$k$N$G$O$J$/(B $B%U%!%$%k$K=q$-$3$`$h$&$K$b$G$-$^$9!#(B $B$3$NJ}K!$rA*$V$J$i!"(BBIND $B$NJ8=q$K$"$?$C$F>\:Y$rD4$Y$F$/$@$5$$!#(B <P> <H2><A NAME="perm"></A> <A NAME="ss2.6">2.6 $B%Q!<%_%C%7%g%s$r87$7$/$9$k(B</A> </H2> <P>$B$^$::G=i$K!"(B<CODE>/chroot</CODE> $B%G%#%l%/%H%jA4BN$X$N%"%/%;%9$r!"(B $B$P$C$5$j(B <CODE>root</CODE> $B%f!<%6$N$_$K8B$C$F$7$^$$$^$7$g$&!#(B $B$b$A$m$s!"$3$&$7$?$$?M$P$+$j$G$O$J$$$G$7$g$&!#(B $BFC$KB>$N%=%U%H%&%'%"$r$3$N%D%j!<0J2<$K%$%s%9%H!<%k$7$F$$$F!"(B $B$3$NJQ99$,$=$N%=%U%H$K$OE,@Z$G$J$$$h$&$J>l9g$K$O$=$&$G$9$M!#(B <P> <BLOCKQUOTE><CODE> <PRE> # chown root /chroot # chmod 700 /chroot </PRE> </CODE></BLOCKQUOTE> <P>$BF1$8$/(B <CODE>/chroot/named</CODE> $B$X$N%"%/%;%9$O!"(B <CODE>named</CODE> $B%f!<%6$K$N$_8B$C$F$7$^$C$FBg>fIW$G$9!#(B <P> <BLOCKQUOTE><CODE> <PRE> # chown named:named /chroot/named # chmod 700 /chroot/named </PRE> </CODE></BLOCKQUOTE> <P>$B$b$C$H87$7$/$7$?$$>l9g$O!"(B Linux $B%7%9%F%`$J$i(B ext2 $B%U%!%$%k%7%9%F%`$K$"$k%U%!%$%k$d%G%#%l%/%H%j$NB0@-$r!"(B <CODE>chattr</CODE> $B$H$$$&%D!<%k$G(B immutable ($BITJQ(B) $B$K$9$k$3$H$b$G$-$^$9!#(B <P> <BLOCKQUOTE><CODE> <PRE> # cd /chroot/named # chattr +i etc etc/localtime var </PRE> </CODE></BLOCKQUOTE> <P>$BF1MM$K(B FreeBSD 4.3 $B$G$3$l$i$r(B immutable $B$K$7$?$$$J$i!"(B <CODE>chflags</CODE> $B$rD4$Y$F$_$^$7$g$&!#(B $BNc$($P<!$N$h$&$K$9$l$P!"(B<CODE>/chroot/named/etc</CODE> $B%G%#%l%/%H%j0J2<$N$9$Y$F$r(B immutable $B$K$G$-$^$9!#(B <BLOCKQUOTE><CODE> <PRE> # chflags schg /chroot/named/etc/*(*). </PRE> </CODE></BLOCKQUOTE> <P>$B$3$l$i$r(B <CODE>dev</CODE> $B%G%#%l%/%H%j$K$b;\$;$l$PNI$$$N$G$7$g$&$,!"(B $B;DG0$J$,$i$3$&$9$k$H(B <CODE>syslogd</CODE> $B$,$3$3$K(B <CODE>dev/log</CODE> $B%=%1%C%H$r:n$l$J$/$J$C$F$7$^$$$^$9!#(B jail $B$NFbIt$K$"$kB>$N%U%!%$%k$K(B immutable $B%S%C%H$rN)$F$F$b$h$$$G$7$g$&(B ($BNc$($P%W%i%$%^%j%>!<%s%U%!%$%k$rJQ99$5$l$?$/$J$$>l9g$J$I(B)$B!#(B <P> <HR> <A HREF="Chroot-BIND-HOWTO-3.html">$B<!$N%Z!<%8(B</A> <A HREF="Chroot-BIND-HOWTO-1.html">$BA0$N%Z!<%8(B</A> <A HREF="Chroot-BIND-HOWTO.html#toc2">$BL\<!$X(B</A> </BODY> </HTML>