To start, create a new directory or file system to house the jails. This will consist of several subdirectories and will house the BIND binaries and configuration files. In our example, we will assume a new file system has been created and it is named /jail. Further, two subdirectories have been created below it - /jail/internal-bind and /jail/external-bind. Each subdirectory will have the following file system structure beneath it. This example is taken from a system running Solaris 7.
Note: You do not need usr/lib/libpthread.so.1 and usr/lib/libthread.so.1 unless you are running BIND 9.1.0 or greater.
Copy the appropriate timezone files to your chroot jail. I am in the US Central timezone, so I use:
cp -p /usr/share/lib/zoneinfo/US/Central /usr/local/bind-jail/usr/share/lib/zoneinfo/US/
Our top level directory:
drwxr-xr-x 2 root other
512 Dec 8 22:26 dev/
drwxr-xr-x 2 root other
512 Nov 23 22:36 etc/
drwxrwxrwt 2 root other
512 Nov 23 22:24 tmp/
drwxr-xr-x 4 root other
512 Nov 23 22:27 usr/
drwxr-xr-x 5 root other
512 Nov 23 23:09 var/
Our subdirectories:
./dev:
crw-rw-rw- 1 root sys
21, 0 Dec 8 22:26 conslog
crw-r----- 1 root other
21, 5 Dec 8 22:25 log
crw-rw-rw- 1 root other
13, 2 Nov 23 22:25 null
crw--w---- 1 root tty
0, 0 Dec 8 22:25 syscon
crw-rw-rw- 1 root other
13, 12 Nov 23 22:25 zero
./etc:
-r-xr-xr-x 1 root other
624 Nov 23 22:26 TIMEZONE
-r--r--r-- 1 root other
23 Nov 23 22:35 group
-r--r--r-- 1 root other
77 Nov 23 22:39 hosts
-r--r--r-- 1 root other
690 Nov 23 22:30 nsswitch.conf
-r--r--r-- 1 root other
83 Nov 23 22:30 passwd
-r--r--r-- 1 root other
70 Nov 23 22:40 resolv.conf
-r-------- 1 root other
43 Nov 23 22:31 shadow
./tmp:
./usr:
drwxr-xr-x 2 root other
512 Nov 23 22:38 lib/
drwxr-xr-x 4 root other
512 Nov 23 22:40 local/
drwxr-xr-x 4 root other
512 Nov 23 22:40 share/
./usr/lib:
-rwxr-xr-x 1 root other
182804 Nov 23 22:34 ld.so.1
-rwxr-xr-x 1 root other
1115940 Nov 23 22:26 libc.so.1
-rwxr-xr-x 1 root other
4600 Nov 23 22:26 libdl.so.1
-rwxr-xr-x 1 root other
15336 Nov 23 22:26 libl.so.1
-rwxr-xr-x 1 root other
7104 Nov 23 22:27 libmp.so.1
-rwxr-xr-x 1 root other
19876 Nov 23 22:35 libmp.so.2
-rwxr-xr-x 1 root other
817084 Nov 23 22:26 libnsl.so.1
-rwxr-xr-x 1 root other
56988 Nov 23 22:26 libsocket.so.1
-rwxr-xr-x 1 root other
27884 Nov 23 22:38 nss_files.so.1
-rwxr-xr-x 1 root other
36316 Jan 29 19:45 libpthread.so.1
-rwxr-xr-x 1 root other
183816 Jan 29 19:45 libthread.so.1
./usr/local:
drwxr-xr-x 2 root other
512 Dec 8 22:29 etc/
drwxr-xr-x 2 root other
512 Nov 23 22:28 sbin/
./usr/local/etc:
lrwxrwxrwx 1 root other
29 Nov 23 22:50 named.conf -> ../../../var/named/named.conf
-rw-r--r-- 1 root other
6 Dec 8 22:29 named.pid
./usr/local/sbin:
-rwxr-xr-x 1 root other
7153392 Nov 23 22:27 named
-rwxr-xr-x 1 root other
7166 Nov 23 22:28 named-bootconf
-rwxr-xr-x 1 root other
5194912 Nov 23 22:27 named-xfer
./usr/share:
usr/share/lib: drwxr-xr-x 3 root other 512 Apr 9 13:13 zoneinfo/ usr/share/lib/zoneinfo: drwxr-xr-x 2 root other 512 Apr 9 13:13 US/ usr/share/lib/zoneinfo/US: -rw-r--r-- 1 root bin 1262 Jan 8 2000 Central
./var:
drwxrwx--- 2 bind bind
512 Nov 23 22:53 adm/
drwxr-xr-x 4 root root
512 Dec 3 15:42 named/
drwxrwxrwt 2 root other
512 Nov 23 23:09 tmp/
./var/adm:
./var/named:
-rw-r--r-- 1 root root
1015 Aug 18 20:38 db.cache
drwxr-xr-x 2 root root
512 Oct 5 22:57 master/
-rw-r--r-- 1 root root
1574 Dec 8 22:28 named.conf
drwxr-xr-x 2 root root
512 Aug 18 21:42 slave/
./var/named/master:
./var/named/slave:
./var/tmp:
Back to the Secure BIND Template
Rob Thomas, robt@cymru.com, http://www.cymru.com