From owner-freebsd-questions Sun Jul 14 6:27:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DECD37B400 for ; Sun, 14 Jul 2002 06:27:42 -0700 (PDT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37EFB43E31 for ; Sun, 14 Jul 2002 06:27:41 -0700 (PDT) (envelope-from fbsd-q@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.12.5/8.12.5) with ESMTP id g6EDS4PM025969; Sun, 14 Jul 2002 15:28:09 +0200 (CEST) (envelope-from stable@ei.bzerk.org) Received: (from stable@localhost) by ei.bzerk.org (8.12.5/8.12.5/Submit) id g6EDS3TR025968; Sun, 14 Jul 2002 15:28:03 +0200 (CEST) Date: Sun, 14 Jul 2002 15:28:03 +0200 From: Ruben de Groot To: Stacey Roberts Cc: FreeBSD-Questions Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] Message-ID: <20020714152803.A25848@ei.bzerk.org> References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <20020714112233.GC25158@happy-idiot-talk.infracaninophi> <1026648971.97896.39.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1026648971.97896.39.camel@Demon.vickiandstacey.com>; from sroberts@dsl.pipex.com on Sun, Jul 14, 2002 at 01:16:10PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, Have you considered the jail(8) command for securing BIND? It's even more secure than the normal chrooted sandbox. I had a hard time finding the right documentation on this as well, so I wrote this little howto: http://www.xs4all.nl/~rubeng/files/bindjail.html hope this helps Ruben On Sun, Jul 14, 2002 at 01:16:10PM +0100, Stacey Roberts typed: > Hi, > Not to appear to be targeting you, but can you tell me if the > procedure in either of the books., (note that FBSD Unleashed does *not* > mention moving anything to the sandbox dir) is indeed *supposed* to > work? > > I am hoping to implement as standardized a set-up as possible - for > future replication across other machines, so I really would like to get > someone's position on this before proceeding with customised > configurations / settings. > > Strange this, running bind without (my attempted) sandbox configs work > fine., it is when I try to secure bind (again, as per the available docs > / books) that errors occur, so this is what I need to get to the bottom > of., Failing this, we're looking at keeping DNS services on the Windows > boxes - which is the point of looking to a FreeBSD solution. > > Thanks again., shame no-one else is responding to this. I would have > thought that many others would be interested in the validity of whta is > written and advertised (in some cases) as required reqding. > > Regards, > Stacey > > > On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: > > > > > (sigh!) There's no mention of moving "the named binary" into the sandbox > > > dir in *any* of the books I've got in front of me. > > > > You don't *have* to do that, although it will do no harm. I tell you > > this from very recent experience, as I saw your post and thought "why > > aren't I running with my named chrooted?" The instructions I gave > > earlier worked for me, with the addendum that you should also do: > > > > mkdir -p /var/named/var/run > > > > and then kill and restart named. That lets you use ndc(8) to control > > named(8), but you have to use the `-c' flag to ndc to tell it where to > > find the command channel: > > > > ndc -c /var/named/var/run/ndc status > > > > To enable the chroot'ed named to log stuff via syslog, you need to > > tell syslogd(8) to listen on an additional logging socket within the > > chrooted filespace: > > > > syslogd -l /var/named/var/run/log > > > > Cheers, > > > > Matthew > > > > -- > > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > > Savill Way > > Tel: +44 1628 476614 Marlow > > Fax: +44 0870 0522645 Bucks., SL7 1TH UK > -- > Stacey Roberts B.Sc. (HONS) Computer Science > Network Systems Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message