Re: Root can't delete files

From: Brian Kejser (bkejser@yahoo.com)
Date: 10/11/01


Message-ID: <20011011130740.55421.qmail@web10003.mail.yahoo.com>
Date: Thu, 11 Oct 2001 09:07:40 -0400 (EDT)
From: Brian Kejser <bkejser@yahoo.com>
Subject: Re: Root can't delete files
To: focus-linux@securityfocus.com

Hi
 
Have you every considered running bind in a chroot
jail?
 
I have included the "poorly documented" install script
we use for our installs.
 
Please Note: I will not provide any support on this
script so don't bother asking me.
 
Does anyone know of any security holes in bind 8.2.3?
 
 
 
 
# uncompress
if [ ! -d /usr/src/bind ]; then
mkdir /usr/src/bind
gunzip /tmp/bind-src.tar.gz
tar -xf /tmp/bind-src.tar --directory=/usr/src/bind
fi

# create replace script
if [ -z `cat /usr/src/bind/src/port/linux/Makefile.set
| cut -c11-16 | grep "chroot"` ]; then
echo ':%s/var\/run/chroot\/named\/var\/run/g' >
/tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript
/usr/src/bind/src/port/linux/Makefile.set
rm /tmp/.viscript -f
fi

# create replace script
if [ -z `cat /usr/src/bind/src/bin/named/named.h | cut
-c9-21 | grep "_PATH_NDCSOCK"` ]; then
echo ':%s/"pathnames.h"/"pathnames.h"\r#define
_PATH_NDCSOCK "\/var\/run\/ndc"/g' > /tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript
/usr/src/bind/src/bin/named/named.h
rm /tmp/.viscript -f
fi

# build
make --directory=/usr/src/bind/src -s clean
make --directory=/usr/src/bind/src -s

# check for dir
if [ ! -d /chroot/named ]; then

mkdir /chroot
mkdir /chroot/named
mkdir /chroot/named/dev
mkdir /chroot/named/bin
mkdir /chroot/named/etc
mkdir /chroot/named/etc/namedb
mkdir /chroot/named/lib
mkdir /chroot/named/var
mkdir /chroot/named/var/run
fi

# append user and group
if [ -z `cat /etc/passwd | grep "named"` ]; then
echo
"named:x:200:200:Nameserver:/chroot/named:/bin/false"
>> /etc/passwd
echo "named:x:200:" >> /etc/group

fi

# copy and create config files
cp namedb/* /chroot/named/etc/namedb/ -f
cp named.conf /chroot/named/etc/named.conf -f
cp /etc/localtime /chroot/named/etc -f

echo 'named:x:200:' > /chroot/named/etc/group

# set permissions
chown named:named /chroot/named/var/run
chown -R named:named /chroot/named/etc/namedb

# copy libraries and set links
cp -p /lib/libc-2.1.3.so /chroot/named/lib -f
ln -s libc-2.1.3.so /chroot/named/lib/libc.so.6 -f
cp -p /lib/ld-2.1.3.so /chroot/named/lib -f
ln -s ld-2.1.3.so /chroot/named/lib/ld-linux.so.2 -f

# make a node
if [ ! -e /chroot/named/dev/null ]; then
mknod /chroot/named/dev/null c 1 3
fi
if [ -z `cat /etc/rc.d/init.d/syslog | cut -c26-31 |
grep "chroot"` ]; then
echo ':%s/daemon syslogd -m 0/daemon syslogd -m 0 -a
\/chroot\/named\/dev\/log/g' > /tmp/.viscript
echo ':wq' >> /tmp/.viscript
vi -s /tmp/.viscript /etc/rc.d/init.d/syslog
rm /tmp/.viscript -f
fi

# move
cp named /etc/rc.d/init.d/named -f

# set permissions
chmod 755 /etc/rc.d/init.d/named

# add to service list
if [ -z `chkconfig --list | cut -c1-5 | grep "named"`
]; then
chkconfig --add named
fi

# turn on
chkconfig --level 3 named on

# cp files
cp /usr/src/bind/src/bin/named/named /chroot/named/bin
-f
cp /usr/src/bind/src/bin/named-xfer/named-xfer
/chroot/named/bin -f

# start the services
/etc/rc.d/init.d/syslog restart
/etc/rc.d/init.d/named start

_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca



Relevant Pages

  • Re: Folder creation
    ... be a script writer, but it sounds like your boss thinks otherwise. ... | I need a script that will allow the creation of a basic folder structure. ... MD C:ootdirJOB NUMBERDATA PREPDATAWORKING ... MKDIR "\serverjobs%JobNum%DataPrep" ...
    (microsoft.public.scripting.vbscript)
  • Re: mkdir in wshshell.run
    ... doesn't exist, using the mkdir command. ... The script issues this simple ... Is it not finding the "mkdir" executable? ... The Right-click menu is accomplished with the following registry ...
    (microsoft.public.scripting.vbscript)
  • Re: mkdir in wshshell.run
    ... doesn't exist, using the mkdir command. ... The script issues this simple ... correctly, but when I go to execute it, it says "The system cannot ... "mkdir" is a command that is internal to the Command Processor. ...
    (microsoft.public.scripting.vbscript)
  • Re: Problems with mkdir() and is_dir()
    ... directory in the uploads subdirectory. ... Here is a copy of a smaller script I threw ... The last two, PDFs and somecrap, are folders created with mkdir(). ... .pngs are files uploaded via a PHP script. ...
    (comp.lang.php)
  • Re: Bash Script
    ... runnign the script as ... echo "Reusing $PROJECT" ... mkdir "$PROJECT" ...
    (Ubuntu)