From owner-freebsd-questions Sat Apr 27 16: 7: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from darwin.lastamericanempire.com (dsl081-101-239.den1.dsl.speakeasy.net [64.81.101.239]) by hub.freebsd.org (Postfix) with ESMTP id CD5F837B419 for ; Sat, 27 Apr 2002 16:06:50 -0700 (PDT) Received: by darwin.lastamericanempire.com (Postfix, from userid 1001) id D62E51D101; Sat, 27 Apr 2002 17:06:47 -0600 (MDT) Date: Sat, 27 Apr 2002 17:06:47 -0600 From: Zach Thompson To: "Philip J. Koenig" Cc: questions@FreeBSD.ORG Subject: Re: Comments Requested: Chrooting Bind9 on FreeBSD Message-ID: <20020427170647.A341@darwin.lastamericanempire.com> Mail-Followup-To: Zach Thompson , "Philip J. Koenig" , questions@FreeBSD.ORG References: <20020427104811403.AAA813@empty1.ekahuna.com@pc02.ekahuna.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020427104811403.AAA813@empty1.ekahuna.com@pc02.ekahuna.com>; from pjklist@ekahuna.com on Sat, Apr 27, 2002 at 03:48:11AM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Philip J. Koenig [2002-04-27 04:48]: > I also wanted to run this server chrooted, and there were no "howto" > documents on this. After spending quite a while agonizing through > this process, and also running into some early Bind9 bugs, I decided > to make the best of the time spent by documenting the process so at > least other people could bypass some of the tribulations. > > I initially wanted to put this document out there a few months ago, > but I lost track of where I saved it. :-/ Since someone recently > asked on the group about this exact subject, and because there had > been some misinformation given out, I figured I'd look for it again, > and lo-and-behold, finally dug it up. > > I'd like to eventually put this on a webpage, or even contribute it > to some kind of documentation project if that seems appropriate. At > this time I'd like to solicit comments on the document so I can > correct any obvious errors before claiming any sort of authoritative > status for it. > Phil, Your post was rather fortuitous for me as I was just considering installing bind9 this weekend ;-) Anyhow, I decided to give your doc a spin and everything seems to be working fine. I actually installed it twice. First, I specified sysconfdir as you did just to find out if it worked. Then I uninstalled and reinstalled without specifying it. I figured that if the new sysconfdir was /usr/local/etc why not just switch to it now. Also, though you didn't specify it, I installed from ports. I think this would be a good change to your doc as it makes removing it simpler in the event that something goes wrong. Also, you get the other CONFIGURE_ARGS checks thrown in. What about removing the files /usr/sbin/named.restart and /usr/sbin/named.reload? Thanks for the doc! It's definitely something I wouldn't mind being able to look up on bsdsearch, bsdvault, etc. Cheers, Zach Thompson > > ================================================= > > USING BIND9 SECURELY ON FREEBSD > > FreeBSD 4.x includes Bind as part of the base system, but > currently it is version 8. There is a Bind9 port, but at > various times it falls behind the current release and by > default it is not setup to run in the most secure manner. > > This document details how to install a current version of > Bind9 on FreeBSD 4.x, and how to make it work in a "chroot > jail"*, which is a standard practice to help secure any > public internet server running under Unix or its workalikes. > > *(FreeBSD also incorporates a special feature simply called > "Jail" which goes even further than chroot to isolate a > running process for security purposes. For more information, > type "man jail" for the jail manpage) > > > CHROOT OVERVIEW > > What chroot essentially does is to create a "fake root" > directory - from the perspective of the daemon, the whole > file system is rooted at this "chroot" directory. Therefore > the only files/directories the daemon can see, are those > located within this directory. (In some ways this is not > unlike the view of the filesystem given to ftp users when > the default "ftp root" of an ftp server is set to something > other than the "real" root directory.) > > > FREEBSD DETAILS > > On FreeBSD, the default location for Bind's configuration > files is /etc/namedb. Sometimes we also use a subdirectory > /etc/namedb/s, this is used to create a "sandbox", which > limits some of the access the named daemon has but not > nearly as securely as using chroot. Bind9 now has a special > feature which makes it a little easier to chroot, among > other things eliminating the need to place shared libraries > and other executables in the "chroot jail". > > Since Bind already exists in the base FreeBSD system, for > thoroughness we should consider renaming the existing files > in order to minimize confusion and mixed versions. Here is > a list of files to consider renaming or removing: > > /usr/bin/dig > /usr/bin/dnsquery > /usr/bin/host > /usr/libexec/dnskeygen > /usr/libexec/named-xfer > /usr/sbin/named > /usr/sbin/ndc > /usr/sbin/nslookup > /usr/sbin/nsupdate > > For those who regularly rebuild their system from source, > once you've installed an independent version of Bind it's > best to configure your system to no longer build the version > in the base system. This is done by adding the following > entry to /etc/make.conf (if this file doesn't exist, just > create it and add the following line - like rc.conf it > only contains items which override default settings): > > NO_BIND= true > > We will move our configuration and other necessary files > to /var/chroot/named, which will allow us to create logfiles > within the chroot jail without filling up ie the / filesystem. > > Create the necessary directories and permissions: > > mkdir /var/chroot > mkdir /var/chroot/named > chown bind.bind /var/chroot/named > chmod 750 /var/chroot/named > cd /var/chroot/named > mkdir etc > mkdir etc/namedb > mkdir var > mkdir dev > > Create the special files and set permissions: > > cp -p /etc/localtime /var/chroot/named/etc > cp -p /etc/syslog.conf /var/chroot/named/etc > cd /var/chroot/named/dev > mknod zero c 2 12 > chmod 666 zero > mknod random c 2 4 > chmod 644 random > mknod null c 2 2 > chmod 666 null > > Create a chrooted syslog socket by adding or editing syslog > parameters in /etc/rc.conf thusly: > > syslogd_flags="-s -l /var/chroot/named/dev/log" > > > Build the distribution: > > - Extract the distribution into a suitable directory (I use > /usr/local/src) > - run ./configure and customize the destination paths if > necessary. > > ./configure --sysconfdir=/etc/namedb > > > Bear in mind that the "sysconfdir" is from the perspective of > the chrooted daemon - thus make sure it is *relative* to the > chrooted directory. Actually if you create a directory structure > in the chrooted directory which is identical to the normal one > as seen from /, you can leave all the path declarations at their > defaults. I just chose to emulate the default named.conf location > in FreeBSD. > > In my case the build process did not put any default files in > /var/chroot/named/etc/namedb, so I copied the ones from the Bind8 > installation in /etc/namedb: make-localhost, PROTO.localhost.rev, > named.root. (make-localhost is used to create a localhost reverse > zone) > > Setup rndc: > > rndc-confgen -a -t /var/chroot/named -u bind > > The above should create a rndc-key file under /etc and the > chrooted configuration directory. > > Create rndc configuration strings: > > rndc-confgen >rndc.out > > Inside the file just created above are 2 clearly marked sections: > one to place inside your named.conf file, and the other to form > a new configuration file /etc/rndc.conf. If these files don't > exist when Bind is started it will complain and exit. > > > BIND9 CONFIGURATION DETAILS > > Most of Bind9 is similiar syntax-wise to Bind8, with a few > notable exceptions. > > If you are customizing the logging parameters, bear in mind > that Bind9 does not parse customized logging parameters > immediately on startup. This means that regardless your > customizations, startup messages will always go to the Bind > default location. (syslog) > > Also the logging categories have changed, if you've customized > the defaults don't forget to look at this. Check in section > 6.2 of the Bind9 Administrators Reference Manual for complete > details. Quick summary as of v9.2.0: > > Removed > cname, db, eventlib, insists, load, maintenance, > ncache, os, packet, panic, parser, response-checks, > statistics > New > client, database, dispatch, dnssec, general, network, > resolver, unmatched > > Remember that when you're running chrooted, logfiles need > to be located somewhere under the chroot directory, and paths > listed in named.conf are all relative to the chroot directory, > not to the "real" root. Make sure the directories that Bind > needs to write to (to backup zone files for secondary zones, > and update the named.pid file) are writable to the user the > daemon is running under. > > > LAUNCHING THE DAEMON > > I prefer to stick with existing scripts so I can continue to use > rc.conf to enable/disable Bind or modify launch parameters. To > adapt it to our needs, make sure the following appears in rc.conf: > > named_enable="YES" > named_program="/usr/local/sbin/named" > named_flags="-u bind -t /var/chroot/named" > > > (Bind9 has changed the meaning of the "-g" param, so make sure > to remove it if it was there for Bind8. "-t" activates Bind9's > special chroot feature.) > > > > Acknowledgements: > > Information on the necessary steps for this project was > acquired from both ISC Bind documentation and certain > posters on the comp.protocols.dns.bind newsgroup. In > particular I want to acknowledge Will Yardley, Mark > Andrews, Joseph Begumisa, "Exile" and Ralf Hildebrandt > for his excellent piece on chrooting Bind on HP-UX 9/10 > at http://www.stahl.bau.tu-bs.de/~hildeb/bind/. > > > Bind9_FreeBSD_chroot.txt v0.9 2002-04-27 > Phil Koenig > > > ================================================= > > > > -- > Philip J. Koenig pjklist@ekahuna.com > Electric Kahuna Systems -- Computers & Communications for the New Millenium > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message