To run BIND in a jail, put the following in your rc.conf: named_flags="-ubind -gbind -hns1.domain.com -i192.168.0.1 -j/home/bind" /home/bind will need to contain named-xfer (build it statically to avoid having to put libc and the loader in the jail) and all the config and zone files. Index: bin/named/ns_glob.h =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_glob.h,v retrieving revision 1.1.1.6 diff -u -r1.1.1.6 ns_glob.h --- bin/named/ns_glob.h 2001/01/28 23:00:16 1.1.1.6 +++ bin/named/ns_glob.h 2001/01/29 18:55:29 @@ -336,6 +336,9 @@ DECL gid_t group_id; DECL char * group_name INIT(NULL); DECL char * chroot_dir INIT(NULL); +DECL char * jail_dir INIT(NULL); +DECL char * jail_ip INIT(NULL); +DECL char * jail_hostname INIT(NULL); DECL int loading INIT(0); Index: bin/named/ns_main.c =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_main.c,v retrieving revision 1.1.1.6 diff -u -r1.1.1.6 ns_main.c --- bin/named/ns_main.c 2001/01/28 23:00:16 1.1.1.6 +++ bin/named/ns_main.c 2001/01/29 18:55:29 @@ -135,6 +135,10 @@ #include #endif +#ifdef HAVE_JAIL +#include +#endif + #define MAIN_PROGRAM #include "named.h" #undef MAIN_PROGRAM @@ -276,7 +280,7 @@ saved_argv[argc] = NULL; /* XXX we need to free() this for clean shutdowns. */ - while ((ch = getopt(argc, argv, "b:c:d:g:p:t:u:vw:qrf")) != -1) { + while ((ch = getopt(argc, argv, "b:c:d:g:h:i:j:p:t:u:vw:qrf")) != -1) { switch (ch) { case 'b': case 'c': @@ -336,6 +340,18 @@ chroot_dir = savestr(optarg, 1); break; + case 'h': + jail_hostname = savestr(optarg, 1); + break; + + case 'i': + jail_ip = savestr(optarg, 1); + break; + + case 'j': + jail_dir = savestr(optarg, 1); + break; + case 'v': fprintf(stdout, "%s\n", Version); exit(0); @@ -413,6 +429,51 @@ n != STDOUT_FILENO && n != STDERR_FILENO) (void) close(n); + + /* + * Jail if desired. + */ + if (jail_dir != NULL) { +#ifdef HAVE_JAIL + struct jail sj; + + if (chroot_dir) { + fprintf(stderr, "can't both jail and chroot\n"); + exit(1); + } + sj.version = 0; + sj.path = jail_dir; + if ((sj.hostname = jail_hostname) == NULL) { + fprintf(stderr, "need a jail hostname\n"); + exit(1); + } + if (jail_ip == NULL) { + fprintf(stderr, "need a jail IP\n"); + exit(1); + } + if ((sj.ip_number = ntohl(inet_addr(jail_ip))) == INADDR_NONE) { + fprintf(stderr, "invalid jail IP\n"); + exit(1); + } + if (jail(&sj) == -1) { + fprintf(stderr, "jail %s, %s, %s failed: %s\n", + jail_dir, jail_hostname, jail_ip, + strerror(errno)); + exit(1); + } + if (chdir("/") < 0) { + fprintf(stderr, "chdir(\"/\") failed: %s\n", + strerror(errno)); + exit(1); + } +#else + fprintf(stderr, "can't jail on this platform\n"); + freestr(jail_dir); + freestr(jail_hostname); + freestr(jail_ip); + jail_dir = jail_hostname = jail_ip = NULL; +#endif + } /* * Chroot if desired. Index: port/freebsd/include/port_after.h =================================================================== RCS file: /home/ncvs/src/contrib/bind/port/freebsd/include/port_after.h,v retrieving revision 1.8 diff -u -r1.8 port_after.h --- port/freebsd/include/port_after.h 2001/01/28 23:06:48 1.8 +++ port/freebsd/include/port_after.h 2001/01/29 18:55:57 @@ -15,6 +15,7 @@ #define RLIMIT_FILE_INFINITY #define HAVE_MINIMUM_IFREQ #define HAVE_CHROOT +#define HAVE_JAIL #define CAN_CHANGE_ID #define MISSING_IN6ADDR_ANY