Date: Sun, 14 Jul 2002 15:28:03 +0200 From: Ruben de Groot <fbsd-q@bzerk.org> To: Stacey Roberts <sroberts@dsl.pipex.com> Cc: FreeBSD-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] Message-ID: <20020714152803.A25848@ei.bzerk.org> In-Reply-To: <1026648971.97896.39.camel@Demon.vickiandstacey.com>; from sroberts@dsl.pipex.com on Sun, Jul 14, 2002 at 01:16:10PM %2B0100 References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <20020714112233.GC25158@happy-idiot-talk.infracaninophi> <1026648971.97896.39.camel@Demon.vickiandstacey.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Have you considered the jail(8) command for securing BIND? It's even more secure than the normal chrooted sandbox. I had a hard time finding the right documentation on this as well, so I wrote this little howto: http://www.xs4all.nl/~rubeng/files/bindjail.html hope this helps Ruben On Sun, Jul 14, 2002 at 01:16:10PM +0100, Stacey Roberts typed: > Hi, > Not to appear to be targeting you, but can you tell me if the > procedure in either of the books., (note that FBSD Unleashed does *not* > mention moving anything to the sandbox dir) is indeed *supposed* to > work? > > I am hoping to implement as standardized a set-up as possible - for > future replication across other machines, so I really would like to get > someone's position on this before proceeding with customised > configurations / settings. > > Strange this, running bind without (my attempted) sandbox configs work > fine., it is when I try to secure bind (again, as per the available docs > / books) that errors occur, so this is what I need to get to the bottom > of., Failing this, we're looking at keeping DNS services on the Windows > boxes - which is the point of looking to a FreeBSD solution. > > Thanks again., shame no-one else is responding to this. I would have > thought that many others would be interested in the validity of whta is > written and advertised (in some cases) as required reqding. > > Regards, > Stacey > > > On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: > > > > > (sigh!) There's no mention of moving "the named binary" into the sandbox > > > dir in *any* of the books I've got in front of me. > > > > You don't *have* to do that, although it will do no harm. I tell you > > this from very recent experience, as I saw your post and thought "why > > aren't I running with my named chrooted?" The instructions I gave > > earlier worked for me, with the addendum that you should also do: > > > > mkdir -p /var/named/var/run > > > > and then kill and restart named. That lets you use ndc(8) to control > > named(8), but you have to use the `-c' flag to ndc to tell it where to > > find the command channel: > > > > ndc -c /var/named/var/run/ndc status > > > > To enable the chroot'ed named to log stuff via syslog, you need to > > tell syslogd(8) to listen on an additional logging socket within the > > chrooted filespace: > > > > syslogd -l /var/named/var/run/log > > > > Cheers, > > > > Matthew > > > > -- > > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > > Savill Way > > Tel: +44 1628 476614 Marlow > > Fax: +44 0870 0522645 Bucks., SL7 1TH UK > -- > Stacey Roberts B.Sc. (HONS) Computer Science > Network Systems Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020714152803.A25848>