[ 上一页 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一页 ]

Debian 手册安全指南
附录 E - 用于更改默认 Bind 安装的示例脚本。

此脚本自动化了更改 bind 版本 8 名称服务器默认安装的过程，使其不以超级用户身份运行。请注意，Debian 中的 bind 版本 9 已经默认执行此操作 [84]，并且您最好使用该版本而不是 bind 版本 8。

此脚本在此处是为了历史目的，并展示如何自动化这种系统范围的更改。该脚本将创建为名称服务器定义的用户和组，并将修改 /etc/default/bind 和 /etc/init.d/bind，以便程序将以该用户身份运行。请谨慎使用，因为它尚未经过彻底测试。

您也可以手动创建用户，并使用附加到 bug report #157245 的默认 init.d 脚本的可用补丁。

       #!/bin/sh
       # Change the default Debian bind v8 configuration to have it run
       # with a non-root user and group.
       # 
       # DO NOT USER this with version 9, use debconf for configure this instead
       #
       # WARN: This script has not been tested thoroughly, please
       # verify the changes made to the INITD script
     
       # (c) 2002 Javier Fern�ndez-Sanguino Pe�a
       #
       #    This program is free software; you can redistribute it and/or modify
       #    it under the terms of the GNU General Public License as published by
       #    the Free Software Foundation; either version 1, or (at your option)
       #    any later version.
       #
       #    This program is distributed in the hope that it will be useful,
       #    but WITHOUT ANY WARRANTY; without even the implied warranty of
       #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       #    GNU General Public License for more details.
       #
       #     Please see the file `COPYING' for the complete copyright notice.
       #
     
       restore() {
       # Just in case, restore the system if the changes fail
         echo "WARN: Restoring to the previous setup since I'm unable to properly change it."
         echo "WARN: Please check the $INITDERR script."
         mv $INITD $INITDERR
         cp $INITDBAK $INITD
       }
     
     
       USER=named
       GROUP=named
       INITD=/etc/init.d/bind
       DEFAULT=/etc/default/bind
       INITDBAK=$INITD.preuserchange
       INITDERR=$INITD.changeerror
       AWKS="awk ' /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '"
     
       [ `id -u` -ne 0 ] && {
         echo "This program must be run by the root user"
         exit 1
       }
     
       RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "`
     
       if [ "$RUNUSER" = "$USER" ] 
       then
         echo "WARN: The name server running daemon is already running as $USER"
         echo "ERR:  This script will not do any changes to your setup."
         exit 1
       fi
       if [ ! -f "$INITD" ]
       then
         echo "ERR:  This system does not have $INITD (which this script tries to change)"
         RUNNING=`ps eo fname |grep named`
         [ -z "$RUNNING" ] && \
           echo "ERR:  In fact the name server daemon is not even running (is it installed?)"
         echo "ERR:  No changes will be made to your system"
         exit 1
       fi
     
       # Check if there are options already setup 
       if [ -e "$DEFAULT" ]
       then
         if grep -q ^OPTIONS $DEFAULT; then
           echo "ERR: The $DEFAULT file already has options set."
           echo "ERR:  No changes will be made to your system"
         fi
       fi
     
       # Check if named group exists
       if [ -z "`grep $GROUP /etc/group`" ] 
       then
         echo "Creating group $GROUP:"
         addgroup $GROUP
       else
         echo "WARN: Group $GROUP already exists. Will not create it"
       fi
       # Same for the user
       if [ -z "`grep $USER /etc/passwd`" ] 
       then
         echo "Creating user $USER:"
         adduser --system --home /home/$USER \
           --no-create-home --ingroup $GROUP \
           --disabled-password --disabled-login $USER
       else
         echo "WARN: The user $USER already exists. Will not create it"
       fi
     
       # Change the init.d script
     
       # First make a backup (check that there is not already
       # one there first)
       if [ ! -f $INITDBAK ] 
       then
         cp $INITD $INITDBAK
       fi
     
       # Then use it to change it
       cat $INITDBAK |
       eval $AWKS > $INITD
     
       # Now put the options in the /etc/default/bind file:
       cat >>$DEFAULT <<EOF
     # Make bind run with the user we defined
     OPTIONS="-u $USER -g $GROUP"
     EOF
     
       echo "WARN: The script $INITD has been changed, trying to test the changes."
       echo "Restarting the named daemon (check for errors here)."
     
       $INITD restart
       if [ $? -ne 0 ] 
       then
         echo "ERR:  Failed to restart the daemon."
         restore
         exit 1
       fi
     
       RUNNING=`ps eo fname |grep named`
       if [ -z "$RUNNING" ] 
       then
         echo "ERR:  Named is not running, probably due to a problem with the changes."
         restore
         exit 1
       fi
     
       # Check if it's running as expected
       RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "`
     
       if [ "$RUNUSER" = "$USER" ] 
       then
         echo "All has gone well, named seems to be running now as $USER."
       else
         echo "ERR:  The script failed to automatically change the system."
         echo "ERR:  Named is currently running as $RUNUSER."
         restore
         exit 1
       fi
     
       exit 0

之前的脚本在 Woody (Debian 3.0) 自定义 bind (版本 8) 上运行时，将在创建 'named' 用户和组后修改 initd 文件，并且将

[ 上一页 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一页 ]

Debian 手册安全指南