############################################
#
# Bound.sh Lazy Mans Jailed Bind v.1
# Figured I'd concoct a script to automate
# the chroot'ed Bind since all these issues
# came out surrounding the insecurity of
# Bind and not too many people are familiar
# with chroot and implementing a jailed
# scenario. This script was tested on my
# FreeBSD 4.1 workstation and needed some
# minor tweaks to get it running on Linux.
# For those who don't want to switch to the
# more secure OpenBSD or Immunix (for Linux)
# you should look into using the SecureBSD
# patches for FreeBSD
# sil@antioffline.sold.me.down.the.river.org
#
############################################

umask 022
setenv PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/home
home=/usr/home/dns/   
pass=$home/etc/passwd
shad=$home/etc/shadow
mast=$home/etc/master.passwd
user="named:x:24680:24680:Jailed Bind v9:/:/sbin/nologin"
echo1="printf "\n" ;  # Lazy way to add newlines *shrug*
echo2=`printf "\n\n" ;

echo "Bound is a lazy man's set up script for chrooting Bind"
echo "sil@antioffline.com http://www.antioffline.com"
echo "AntiOffline -- Removing the dot in dot.com"
echo "Beginning Bound v.1" ; echo " " ; echo " "
echo "Checking to see if directory exists"
$echo2
if [ -e /usr/home ] ; then 
echo "Directory is there lets get the sys in order"
cd $home

cat > dirlist.tmp << EOF

dev
etc
lib
usr
var

EOF

echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1

for i in `cat dirlist` ; do mkdir $home/$i ; done

cat > subdirlist.tmp << EOF

usr/share
usr/share/zoneinfo
usr/local
usr/local/lib
var/run
var/log
var/named

EOF

for i in `cat subdirlist.tmp` ; do mkdir $i ; done

echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1

cat > duplicate.tmp << EOF

/etc/syslog.conf
/etc/netconfig
/etc/nsswitch.conf
/etc/resolv.conf
/etc/TIMEZONE

EOF

echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1

for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done

echo "Done" ; $echo1

else

echo "Directory is there lets get the sys in order" ; $echo1

mkdir /usr/home/ ; cd $home

cat > dirlist.tmp << EOF

dev
etc
lib
usr
var

EOF

echo "Added dev etc lib usr and var to /usr/home/obs" ; $echo1

for i in `cat dirlist` ; do mkdir $home/$i ; done

cat > subdirlist.tmp << EOF

usr/share
usr/share/zoneinfo
usr/local
usr/local/lib
var/run
var/log
var/named

EOF

echo "Added other neccessary files in $home/usr, $home/usr/local, $home/usr/share, $home/usr/share/zoneinfo" ; $echo1

for i in `cat subdirlist.tmp` ; do mkdir $i ; done

cat > duplicate.tmp << EOF

/etc/syslog.conf
/etc/netconfig
/etc/nsswitch
/etc/resolv.conf
/etc/TIMEZONE

EOF

echo "Copying /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE to $home" ; $echo1

for i in `cat duplicate.tmp` ; dp cp $i $home/etc/ ; done

echo "Done" ; $echo

fi

cat $user >> $pass

echo "Adding $user to $pass" ; $echo1

if [ -e $shad ] ; then

echo $user >> $shad

else

echo "Adding $user to $mast"; $echo1

echo $user >> $mast

echo "$user added to $pass" ; $echo1

fi

echo "Making necessary files in $home/dev/
cd $home/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5 
mknod null c 13 2 
mknod zero c 13 12 
chgrp sys null zero
chmod 666 null
mknod conslog c 21 0
mknod syscon c 0 0 
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog

echo "Done" ; $echo1

# Uncomment this to go get the latest version of Bind
# if you don't have it on your machine already.

# if [ -e $fetch ] ; then
# $fetch ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz
# else
# $wget ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz
# else
# echo "Manually download Bind from ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz"
# echo " "
# fi
# echo "Now configure and compile bind here"

echo "Fixing permissions in $home" ; $echo1

cd $home
chmod -R g-w var;
chmod -R a-w opt usr
chmod g+w var/run var/log
chgrp named var/log var/run;
touch var/log/all.log var/run/named.pid;
chown named.named var/log/all.log var/run/named.pid;
chgrp named $jail/usr/local/etc;
chown root.named $jail/usr/local/etc/named.conf;
find . -type f -exec chmod ug-s {} \;

echo "Done, compile Bind in $home then"
echo "run with the follwing syntax"
echo "/usr/sbin/chroot /usr/home/dns /usr/local/sbin/named -u named"
echo "Concocted with some settings from an article posted by Sean Boran"
echo "http://www.boran.com"