-----BEGIN PGP SIGNED MESSAGE----- Setting up the jail for BIND 4.9.x-OW. 1. Create group 'named'. Create user 'named', with group 'named' as the primary GID. Leave it locked ('*' in the password field, or similar). 2. Create a directory where named and named-xfer will live, such as /named. Populate it with the required files, setting their ownership and permissions like this: drwx--x--- 5 root named 1024 Nov 8 10:04 ./ (The new root directory itself.) -rwx------ 1 root root 164228 Nov 8 10:04 named -rwx--x--- 1 root named 244880 Nov 8 07:49 named-xfer (Our two binaries; named-xfer is statically-linked.) -rw-r----- 1 root named 10990 Nov 8 08:01 named.boot (Main configuration file.) drwxr-x--- 3 root named 6144 Nov 8 07:59 named.dat/ (Whatever directory is mentioned in your named.boot, above.) drwxrwx--- 2 root named 4096 Nov 8 11:36 named.dat/sec/ (A subdirectory for the secondaries.) drwx--x--- 2 root named 1024 Nov 8 07:53 dev/ drwx--x--- 3 root named 1024 Nov 8 07:51 usr/ (These two are optional, see below.) Zone files within /named/named.dat (or whatever you called it) should be owned by root, and readable by group 'named'. Secondaries should be in a subdirectory both readable and writable by group 'named', and the files themselves should have 'named' as their owner. If you want to see logs from named-xfer (and you probably do), you will also need /usr/lib/zoneinfo/localtime (or whatever your system uses for the timezone file) and possibly the /dev/log socket within the new root directory. (Note that named itself, with the patch applied, is smart enough to open /dev/log and initialize the timezone before changing its root directory.) 3. If you are running an old version of syslogd that isn't capable of reading multiple Unix domain sockets and you need logs from named-xfer, you should start named with these commands: rm /named/dev/log ln /dev/log /named/dev/log # should be same device /named/named -t /named -u named In simpler cases, only the last command is needed (but you may need to tell your syslogd to read an additional Unix domain socket, which is usually done with a command-line option). -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Comment: http://www.openwall.com/signatures/ Charset: noconv iQCVAwUBOmQ8wXK5fbEpUCnxAQGd0AP+PzrHToEL18mzAwBCXpJ+TYeh66KgcYy+ alk5uTVKwfgHdlQY0SXy9BEYNRWrIi4PBvyUcaNCFrtM/qtMEdGJalKMdEq5cqof SkdZUmR3hJP2C/laxuZE0s2+3JMtQ8sKaL4QnguBIHxnu8cfjqXmx6IfdOrpWbiv uaZUS8so8o8= =S4aR -----END PGP SIGNATURE-----