[ anterior ] [ Conteúdo ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ próximo ]


Securing Debian Manual
Apêndice E - Exemplo de script para alterar a instalação padrão do Bind.


Este script automatiza o procedimento para alterar a instalação padrão do servidor de nome bind de forma que ele não execute como superusuário. Ele irá criar usuário e grupos que serão usados para o servidor de nome. Utilize-o com bastante cuidado já que o script não foi testado exaustivamente.

       #!/bin/sh
       # Change the default Debian bind configuration to have it run
       # with a non-root user and group.
       #
       # WARN: This script has not been tested thoroughly, please
       # verify the changes made to the INITD script
     
       # (c) 2002 Javier Fernandez-Sanguino Peña
       #
       #    This program is free software; you can redistribute it and/or modify
       #    it under the terms of the GNU General Public License as published by
       #    the Free Software Foundation; either version 1, or (at your option)
       #    any later version.
       #
       #    This program is distributed in the hope that it will be useful,
       #    but WITHOUT ANY WARRANTY; without even the implied warranty of
       #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       #    GNU General Public License for more details.
       #
       #     Please see the file `COPYING' for the complete copyright notice.
       #
     
       restore() {
       # Just in case, restore the system if the changes fail
     	  echo "WARN: Restoring to the previous setup since I'm unable to properly change it."
     	  echo "WARN: Please check the $INITDERR script."
     	  mv $INITD $INITDERR
     	  cp $INITDBAK $INITD
       }
     
     
       USER=named
       GROUP=named
       INITD=/etc/init.d/bind
       INITDBAK=$INITD.preuserchange
       INITDERR=$INITD.changeerror
       START="start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g $GROUP -u $USER"
       AWKS="awk ' /start-stop-daemon --start/ { print \"$START\"; noprint = 1; }; /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '"
     
       [ `id -u` -ne 0 ] && {
     	  echo "This program must be run by the root user"
     	  exit 1
       }
     
       RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d " "`
     
       if [ "$RUNUSER" = "$USER" ] 
       then
     	  echo "WARN: The name server running daemon is already running as $USER"
     	  echo "ERR:  This script will not many any changes to your setup."
     	  exit 1
       fi
       if [ ! -f $INITD ]
       then
     	  echo "ERR:  This system does not have $INITD (which this script tries to change)"
     	  RUNNING=`ps -eo fname |grep named`
     	   [ -z "$RUNNING" ] && \
     	      echo "ERR:  In fact the name server daemon is not even running (is it installed?)"
     	   echo "ERR:  No changes will be made to your system"
     	  exit 1
       fi
     
       # Check if named group exists
       if [ -z "`grep $GROUP /etc/group`" ] 
       then
     	  echo "Creating group $GROUP:"
     	  addgroup $GROUP
       else
     	  echo "WARN: Group $GROUP already exists. Will not create it"
       fi
       # Same for the user
       if [ -z "`grep $USER /etc/passwd`" ] 
       then
     	  echo "Creating user $USER:"
     	  adduser --system --home /home/$USER \
     	  --no-create-home --ingroup $GROUP \
     	  --disabled-password --disabled-login $USER
       else
     	  echo "WARN: The user $USER already exists. Will not create it"
       fi
     
       # Change the init.d script
     
       # First make a backup (check that there is not already
       # one there first)
       if [ ! -f $INITDBAK ] 
       then
     	  cp $INITD $INITDBAK
       fi
     
       # Then use it to change it
       cat $INITDBAK |
       eval $AWKS > $INITD
     
       echo "WARN: The script $INITD has been changed, trying to test the changes."
       echo "Restarting the named daemon (check for errors here)."
     
       $INITD restart
       if [ $? -ne 0 ] 
       then
     	  echo "ERR:  Failed to restart the daemon."
     	  restore
     	  exit 1
       fi
     
       RUNNING=`ps -eo fname |grep named`
       if [ -z "$RUNNING" ] 
       then
     	  echo "ERR:  Named is not running, probably due to a problem with the changes."
     	  restore
     	  exit 1
       fi
     
       # Check if it's running as expected
       RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d " "`
     
       if [ "$RUNUSER" = "$USER" ] 
       then
     	  echo "All has gone well, named seems to be running now as $USER."
       else
     	  echo "ERR:  The script failed to automatically change the system."
     	  echo "ERR:  Named is currently running as $RUNUSER."
     	  restore
     	  exit 1
       fi
     
       exit 0

O script anterior, execute-o no bind customizado do Woody (Debian 3.0), irá produzir o arquivo initd abaixo depois de criar o usuário e grupo 'named':

       #!/bin/sh
     
       PATH=/sbin:/bin:/usr/sbin:/usr/bin
     
       test -x /usr/sbin/named || exit 0
     
       start () {
     	  echo -n "Starting domain name service: named"
     	  start-stop-daemon --start --quiet \
     	      --pidfile /var/run/named.pid --exec /usr/sbin/named 
     	  echo "."	
       }
     
       stop () {
     	  echo -n "Stopping domain name service: named"
     	  # --exec doesn't catch daemons running deleted instances of named,
     	  # as in an upgrade.  Fortunately, --pidfile is only going to hit
     	  # things from the pidfile.
     	  start-stop-daemon --stop --quiet  \
     	      --pidfile /var/run/named.pid --name named
     	  echo "."	
       }
     
       case "$1" in
           start)
     	  start
           ;;
     
           stop)
     	  stop
           ;;
     
           restart|force-reload)
     	  stop
     	  sleep 2
     	  start
           ;;
     
           reload)
     	  /usr/sbin/ndc reload
           ;;
     
           *)
     	  echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
     	  exit 1
           ;;
       esac
     
       exit 0

[ anterior ] [ Conteúdo ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ próximo ]


Securing Debian Manual

v3.1, Mon, 10 Feb 2014 17:06:00 +0000

Javier Fernández-Sanguino Peña jfs@debian.org
Autores, Seção 1.1