From owner-freebsd-doc Thu Nov 29 12:20:39 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id F3C8D37B417 for ; Thu, 29 Nov 2001 12:20:00 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fATKK0573359; Thu, 29 Nov 2001 12:20:00 -0800 (PST) (envelope-from gnats) Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id 880E637B420 for ; Thu, 29 Nov 2001 12:17:14 -0800 (PST) Received: from pc3-card4-0-cust122.cdf.cable.ntl.com ([62.254.251.122] helo=rhadamanth.private.submonkey.net ident=exim) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 169XcO-0000O5-00 for FreeBSD-gnats-submit@freebsd.org; Thu, 29 Nov 2001 20:17:12 +0000 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.33 #1) id 169XcG-0002PM-00 for FreeBSD-gnats-submit@freebsd.org; Thu, 29 Nov 2001 20:17:04 +0000 Message-Id: Date: Thu, 29 Nov 2001 20:17:04 +0000 From: Ceri Reply-To: Ceri To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: docs/32381: [PATCH] Handbook section on chrooting named is not correct Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 32381 >Category: docs >Synopsis: [PATCH] Handbook section on chrooting named is not correct >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 29 12:20:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Ceri >Release: FreeBSD 4.4-STABLE i386 >Organization: >Environment: System: FreeBSD rhadamanth.private.submonkey.net 4.4-STABLE FreeBSD 4.4-STABLE #0: Mon Nov 26 13:11:22 GMT 2001 setantae@rhadamanth.private.submonkey.net:/usr/obj/usr/src/sys/RHADAMANTH i386 Today's doc tree. >Description: The handbook's explanation of how to chroot named does not work. >How-To-Repeat: Read it. >Fix: Apply this patch. As always, the markup may be dodgy, and comments are welcome. Ceri --- doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml.old Thu Nov 29 20:13:11 2001 +++ doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml Thu Nov 29 20:12:57 2001 @@ -131,10 +131,10 @@ will cover in the next section) and the localhost route. - loopback device - The interface (Netif column) that it specifies - to use for localhost is - lo0, also known as the loopback device. This +loopback device +The interface (Netif column) that it specifies +to use for localhost is +lo0, also known as the loopback device. This says to keep all traffic for this destination internal, rather than sending it out over the LAN, since it will only end up back where it started. @@ -4150,8 +4150,9 @@ - Mike - Makonnen + Ceri + Davies +
setantae@submonkey.net
Contributed by @@ -4166,105 +4167,199 @@ chroot - For added security you may want to run &man.named.8; in a - sandbox. This will reduce the potential damage should it be - compromised. If you include a sandbox directory in its command - line, named will &man.chroot.8; - into that directory immediately upon finishing processing its - command line. It is also a good idea to have named run as a - non-privileged user in the sandbox. The default FreeBSD install - contains a user bind with group bind. If we wanted the sandbox in - the /etc/namedb/sandbox directory the command - line for named would look like this: - - &prompt.root; /usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf> - - The following steps should be taken in order to - successfully run named in a sandbox. Throughout the following - discussion we will assume the path to your sandbox is - /etc/namedb/sandbox - + For added security you may want to run &man.named.8; as an + unprivileged user, and configure it to &man.chroot.8; into a + sandbox directory. This makes everything outside of the sandbox + inaccessible to the named daemon. Should + named be compromised, this will help to + reduce the damage that can be caused. By default, FreeBSD has a user + and a group called bind, intended for this use. + + Various people would recommend that instead of configuring + named to chroot, you + should run named inside a &man.jail.8;. This + section does not attempt to cover this situation. + + Since named will not be able to + access anything outside of the sandbox (such as shared libraries, + log sockets, etc.), there are a number of steps that need to be + followed in order to allow named to + function correctly. In the following checklist, it is assumed + that the path to the sandbox is /etc/namedb + and that you have made no prior modifications to the contents of + this directory. Perform the following steps as root. - - Create the sandbox directory: - /etc/namedb/sandbox - - - Create other necessary directories off of the sandbox - directory: etc and - var/run - - - copy /etc/localtime to - sandbox/etc - - - - make bind:bind the owner of all files and directories in - the sandbox: - &prompt.root; chown -R bind:bind /etc/namedb/sandbox - &prompt.root; chmod -R 750 /etc/namedb/sandbox - - - + + Create all directories that named + expects to see: - There are some issues you need to be aware of when running - named in a sandbox. + &prompt.root; cd /etc/namedb +&prompt.root; mkdir -p bin dev etc var/tmp var/run master slave +&prompt.root; chown bind:bind slave var/* - - - Your &man.named.conf.5; file and all your zone files must - be in the sandbox - - - - sandbox/etc/localtime is needed - in order to have the correct time for your time zone in - log messages. - - - &man.named.8; will write its process id to a file in - sandbox/var/run - - - The Unix socket used for communication by the &man.ndc.8; - utility will be created in - sandbox/var/run - - - When using the &man.ndc.8; utility you need to specify the - location of the Unix socket created in the sandbox, by - &man.named.8;, by using the -c switch: - &prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc - - - - If you enable logging to file, the log files must be - in the sandbox - - + + + named only needs write access to + these directories, so that is all we give it. + + + + + Rearrange and create basic zone and configuration files: + &prompt.root; cp /etc/localtime etc +&prompt.root; mv named.conf etc && ln -sf etc/named.conf +&prompt.root; mv named.root master + +&prompt.root; sh make-localhost && mv localhost.rev master +&prompt.root; cat > named.localhost +$ORIGIN localhost. +$TTL 6h +@ IN SOA localhost. postmaster.localhost. ( + 1 ; serial + 3600 ; refresh + 1800 ; retry + 604800 ; expiration + 3600 ) ; minimum + IN NS localhost. + IN A 127.0.0.1 +^D - &man.named.8; can be started in a sandbox properly, if the - following is in /etc/rc.conf: - - named_flags="-u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf>" - + + + This allows named to log the + correct time to &man.syslogd.8; + + + + + Build a statically linked copy of + named-xfer, and copy it into the sandbox: - - How to Use the Name Server + &prompt.root; cd /usr/src/lib/libisc && make clean all +&prompt.root; cd /usr/src/lib/libbind && make clean all +&prompt.root; cd /usr/src/libexec/named-xfer && make NOSHARED=yes all +&prompt.root; cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer + + + Make a dev/null that + named can see and write to: - If setup properly, the name server should be accessible through - the network and locally. /etc/resolv.conf must - contain a name server entry with the local IP address so it will query the - local name server first. - + &prompt.root; cd /etc/namedb/dev && mknod null c 2 2 +&prompt.root; chmod 666 null + + + Symlink /var/run/ndc to + /etc/namedb/var/run/ndc: + + &prompt.root; ln -sf /etc/namedb/var/run/ndc /var/run/ndc + + This simply avoids having to specify the + option to &man.ndc.8; every time you run it. If this is something + that you find useful, you may wish to add this entry to root's + crontab, making use of the option. See + &man.crontab.5; for more information regarding this. + + + Configure &man.syslogd.8; to create an extra log + socket that named can write to. To do + this, add -l /etc/namedb/dev/log to the + syslogd_flags variable in + /etc/rc.conf. + + + Arrange to have named start and + chroot itself to the sandbox by adding the following + to /etc/rc.conf: + named_enable="YES" +named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf" + + Note that the configuration file + /etc/named.conf is denoted by a full + pathname relative to the sandbox, i.e. in + the line above, the file referred to is actually + /etc/namedb/etc/named.conf/ + + + + The next step is to edit /etc/namedb/etc/named.conf + so that named knows which zones to load and + where to find them on the disk. There follows a commented example + (anything not specifically commented here is no different from the + setup for a DNS server not running in a sandbox): + + options { + directory "/"; + named-xfer "/bin/named-xfer"; + version ""; // Don't reveal BIND version + query-source address * port 53; +}; +// ndc control socket +controls { + unix "/var/run/ndc" perm 0600 owner 0 group 0; +}; +// Zones follow: +zone "localhost" IN { + type master; + file "master/named.localhost"; + allow-transfer { localhost; }; + notify no; +}; +zone "0.0.127.in-addr.arpa" IN { + type master; + file "master/named.loopback"; + allow-transfer { localhost; }; + notify no; +}; +zone "." IN { + type hint; + file "master/named.root"; +}; +zone "private.example.net" in { + type master; + file "master/private.example.net.db"; + allow-transfer { 192.168.10.0/24; }; +}; +zone "10.168.192.in-addr.arpa" in { + type slave; + masters { 192.168.10.2; }; + file "slave/192.168.10.db"; +}; + + + The directory + statement is specified as /, since all files + that named needs are within this directory + (recall that this is equivalent to a normal user's + /etc/namedb. + + Specifies the full path to the + named-xfer binary (from named's + frame of reference). This is necessary since named + is compiled to look for named-xfer in + /usr/libexec by default. + + Specifies the filename (relative + to the directory statement above) where + named can find the zonefile for this + zone. + + Specifies the filename (relative + to the directory statement above) where + named should write a copy of the + zonefile for this zone after successfully transferring it from + the master server. This is why we needed to change the ownership + of the directory slave to bind + in the setup stages above. + + + + After completing the steps above, either reboot your server or + restart &man.syslogd.8 and start &man.named.8, making sure to use the + new options specified in syslogd_flags and + named_flags. You should now be running a sandboxed + copy of named! - - To access it over the network, the machine must have the - name server's IP address set properly in its own name server - configuration options. - >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message