From owner-freebsd-questions Sun Jul 14 6:47:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DCF37B400 for ; Sun, 14 Jul 2002 06:47:16 -0700 (PDT) Received: from nemesis.systems.pipex.net (nemesis.systems.pipex.net [62.190.223.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16C3B43E4A for ; Sun, 14 Jul 2002 06:47:15 -0700 (PDT) (envelope-from sroberts@dsl.pipex.com) Received: from Demon.vickiandstacey.com (81-86-129-77.dsl.pipex.com [81.86.129.77]) by nemesis.systems.pipex.net (Postfix) with ESMTP id BC29416000408; Sun, 14 Jul 2002 14:47:12 +0100 (BST) Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: Ruben de Groot Cc: FreeBSD-Questions In-Reply-To: <20020714152803.A25848@ei.bzerk.org> References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <20020714112233.GC25158@happy-idiot-talk.infracaninophi> <1026648971.97896.39.camel@Demon.vickiandstacey.com> <20020714152803.A25848@ei.bzerk.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-HM1XokQSdLkjIPl8I/GL" X-Mailer: Ximian Evolution 1.0.8 Date: 14 Jul 2002 14:47:25 +0100 Message-Id: <1026654446.97896.72.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-HM1XokQSdLkjIPl8I/GL Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ruben, Thanks for the kind reply. I had a look at the link you provided, and I am inmpressed with the detail mentioned in there. However, I am in the (un) enviable position of attempting to convince others that with the BSD variants, there is at least some conforming to standardised (RFC's, et al), so the situation is such that I should really be trying to get to the stage where I can say: "here's the express procedure for doing x, and this is why we should be going with this solution.". However, I now find that bind / named isn't as fairly straightforward, well-documented in FreeBSD as I once thought (hoped).=20 Forgive me for what might be taken as a rant, but as you said: "I had a hard time finding the right documentation on this as well". So, to me the obvious questions (left un-answered) are:- 1] Did you find that documentation? 2] If so, where is it? The stage I'm at for now is a feeling that (as far as DNS & bind is concerned) on FreeBSD, this is pretty much a skulking around for "whatever works for me" solution, which is pretty much a show stopper for this project, I'm afraid - No way I dress this up any which way other than that. I'll keep plodding around.., but it looks like the Windows machines around here are looking safe for the foreseeable future. Thanks again for taking the time, on a Sunday too:-) Stacey On Sun, 2002-07-14 at 14:28, Ruben de Groot wrote: >=20 > Hi, >=20 > Have you considered the jail(8) command for securing BIND? It's even > more secure than the normal chrooted sandbox. > I had a hard time finding the right documentation on this as well, so=20 > I wrote this little howto: >=20 > http://www.xs4all.nl/~rubeng/files/bindjail.html >=20 > hope this helps >=20 > Ruben=20 >=20 > On Sun, Jul 14, 2002 at 01:16:10PM +0100, Stacey Roberts typed: > > Hi, > > Not to appear to be targeting you, but can you tell me if the > > procedure in either of the books., (note that FBSD Unleashed does *not* > > mention moving anything to the sandbox dir) is indeed *supposed* to > > work? > >=20 > > I am hoping to implement as standardized a set-up as possible - for > > future replication across other machines, so I really would like to get > > someone's position on this before proceeding with customised > > configurations / settings.=20 > >=20 > > Strange this, running bind without (my attempted) sandbox configs work > > fine., it is when I try to secure bind (again, as per the available doc= s > > / books) that errors occur, so this is what I need to get to the bottom > > of., Failing this, we're looking at keeping DNS services on the Windows > > boxes - which is the point of looking to a FreeBSD solution. > >=20 > > Thanks again., shame no-one else is responding to this. I would have > > thought that many others would be interested in the validity of whta is > > written and advertised (in some cases) as required reqding. > >=20 > > Regards, > > Stacey > >=20 > >=20 > > On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > > > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: > > >=20 > > > > (sigh!) There's no mention of moving "the named binary" into the sa= ndbox > > > > dir in *any* of the books I've got in front of me. > > >=20 > > > You don't *have* to do that, although it will do no harm. I tell you > > > this from very recent experience, as I saw your post and thought "why > > > aren't I running with my named chrooted?" The instructions I gave > > > earlier worked for me, with the addendum that you should also do: > > >=20 > > > mkdir -p /var/named/var/run > > >=20 > > > and then kill and restart named. That lets you use ndc(8) to control > > > named(8), but you have to use the `-c' flag to ndc to tell it where t= o > > > find the command channel: > > >=20 > > > ndc -c /var/named/var/run/ndc status > > >=20 > > > To enable the chroot'ed named to log stuff via syslog, you need to > > > tell syslogd(8) to listen on an additional logging socket within the > > > chrooted filespace: > > >=20 > > > syslogd -l /var/named/var/run/log > > >=20 > > > Cheers, > > >=20 > > > Matthew > > >=20 > > > --=20 > > > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > > > Savill Way > > > Tel: +44 1628 476614 Marlow > > > Fax: +44 0870 0522645 Bucks., SL7 1TH= UK > > --=20 > > Stacey Roberts B.Sc. (HONS) Computer Science > > Network Systems Engineer >=20 >=20 --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-HM1XokQSdLkjIPl8I/GL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ruben, Thanks for the kind reply. I had a look at the link you provided, and I am inmpressed with the detail mentioned in there. However, I am in the (un) enviable position of attempting to convince others that with the BSD variants, there is at least some conforming to standardised (RFC's, et al), so the situation is such that I should really be trying to get to the stage where I can say: "here's the express procedure for doing x, and this is why we should be going with this solution.". However, I now find that bind / named isn't as fairly straightforward, well-documented in FreeBSD as I once thought (hoped).=20 Forgive me for what might be taken as a rant, but as you said: "I had a hard time finding the right documentation on this as well". So, to me the obvious questions (left un-answered) are:- 1] Did you find that documentation? 2] If so, where is it? The stage I'm at for now is a feeling that (as far as DNS & bind is concerned) on FreeBSD, this is pretty much a skulking around for "whatever works for me" solution, which is pretty much a show stopper for this project, I'm afraid - No way I dress this up any which way other than that. I'll keep plodding around.., but it looks like the Windows machines around here are looking safe for the foreseeable future. Thanks again for taking the time, on a Sunday too:-) Stacey On Sun, 2002-07-14 at 14:28, Ruben de Groot wrote: >=20 > Hi, >=20 > Have you considered the jail(8) command for securing BIND? It's even > more secure than the normal chrooted sandbox. > I had a hard time finding the right documentation on this as well, so=20 > I wrote this little howto: >=20 > http://www.xs4all.nl/~rubeng/files/bindjail.html >=20 > hope this helps >=20 > Ruben=20 >=20 > On Sun, Jul 14, 2002 at 01:16:10PM +0100, Stacey Roberts typed: > > Hi, > > Not to appear to be targeting you, but can you tell me if the > > procedure in either of the books., (note that FBSD Unleashed does *not* > > mention moving anything to the sandbox dir) is indeed *supposed* to > > work? > >=20 > > I am hoping to implement as standardized a set-up as possible - for > > future replication across other machines, so I really would like to get > > someone's position on this before proceeding with customised > > configurations / settings.=20 > >=20 > > Strange this, running bind without (my attempted) sandbox configs work > > fine., it is when I try to secure bind (again, as per the available doc= s > > / books) that errors occur, so this is what I need to get to the bottom > > of., Failing this, we're looking at keeping DNS services on the Windows > > boxes - which is the point of looking to a FreeBSD solution. > >=20 > > Thanks again., shame no-one else is responding to this. I would have > > thought that many others would be interested in the validity of whta is > > written and advertised (in some cases) as required reqding. > >=20 > > Regards, > > Stacey > >=20 > >=20 > > On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > > > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: > > >=20 > > > > (sigh!) There's no mention of moving "the named binary" into the sa= ndbox > > > > dir in *any* of the books I've got in front of me. > > >=20 > > > You don't *have* to do that, although it will do no harm. I tell you > > > this from very recent experience, as I saw your post and thought "why > > > aren't I running with my named chrooted?" The instructions I gave > > > earlier worked for me, with the addendum that you should also do: > > >=20 > > > mkdir -p /var/named/var/run > > >=20 > > > and then kill and restart named. That lets you use ndc(8) to control > > > named(8), but you have to use the `-c' flag to ndc to tell it where t= o > > > find the command channel: > > >=20 > > > ndc -c /var/named/var/run/ndc status > > >=20 > > > To enable the chroot'ed named to log stuff via syslog, you need to > > > tell syslogd(8) to listen on an additional logging socket within the > > > chrooted filespace: > > >=20 > > > syslogd -l /var/named/var/run/log > > >=20 > > > Cheers, > > >=20 > > > Matthew > > >=20 > > > --=20 > > > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > > > Savill Way > > > Tel: +44 1628 476614 Marlow > > > Fax: +44 0870 0522645 Bucks., SL7 1TH= UK > > --=20 > > Stacey Roberts B.Sc. (HONS) Computer Science > > Network Systems Engineer >=20 >=20 - --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPTGA6vdn4A8qiCO5EQK5+wCg32aD//fDqmP2Pd5XKeH4G/ZcZiIAnRDo 93+JWRWq9BxaJH07iBNsdJL0 =K8Xz -----END PGP SIGNATURE----- --=-HM1XokQSdLkjIPl8I/GL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message