Date: Wed, 21 Jan 2004 00:06:10 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Robert Fitzpatrick <robert@webtent.com> Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: BIND in chroot jail Message-ID: <20040121000610.GC70864@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <1074636256.2504.24.camel@columbus> References: <1074636256.2504.24.camel@columbus>
next in thread | previous in thread | raw e-mail | index | archive | help
--5QAgd0e35j3NYeGe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 20, 2004 at 05:04:16PM -0500, Robert Fitzpatrick wrote:
> I see the bind user is defined as BIND Sandbox, does this mean the
> default port install of bind9 sets bind up in a chroot jail?
No -- all that means is that named(8) runs as a non-privileged user by
default.
However, running Bind9 in a chroot jail is really quite easy. First
of all, with Bind9, there's no need to install the software under the
chroot path. Just install the Bind9 port as normal.
Add the following (mutatis mutandem) to your /etc/rc.conf to make
named(8) from Bind9 start up and chroot itself:
named_enable=3D"YES"
named_flags=3D"-c /etc/namedb/named.conf -u bind -t /var/named"
named_program=3D"/usr/local/sbin/named"
That chroots named(8) under /var/named -- so the named.conf file
referred to is actually /var/named/etc/named/named.conf -- you'll also
want a named.root file in /var/named/etc/namedb which you can copy
=66rom /etc/namedb.
Now set up the chroot area. You need to create directories:
drwxr-xr-x root wheel /var/named
drwxr-xr-x root wheel /var/named/var
drwxr-xr-x bind bind /var/named/var/run
drwxr-xr-x root wheel /var/named/etc
drwxr-xr-x root wheel /var/named/etc/namedb
drwxr-xr-x root wheel /var/named/etc/namedb/p [Optional]
drwxr-xr-x bind bind /var/named/etc/namedb/s [Optional]
drwxr-xr-x bind bind /var/named/etc/namedb/dump [Optional]
drwxr-xr-x root wheel /var/named/dev
The directories I've marked optional are set up in my named.conf as
the locations for: 'p' -- zone files which this is the master for, 's'
-- zone files this server is a secondary for and 'dump' -- the default
location to dump named cache and statistics.
Copy the configuration files previously mentioned into place in
/var/named/etc/namedb.
Additionally you will need to:
cp /etc/localtime /var/named/etc/localtime
and you will need to set up the following character devices:
-r-xr-xr-x 1 root wheel 44235 Sep 25 2002 MAKEDEV* [FBSD 4.x o=
nly]
crw-rw-rw- 1 root wheel 2, 2 Sep 25 2002 null
crw-r--r-- 1 root wheel 2, 3 Sep 25 2002 random
crw-rw-rw- 1 root wheel 22, 2 Sep 25 2002 stderr
crw-rw-rw- 1 root wheel 22, 0 Sep 25 2002 stdin
crw-rw-rw- 1 root wheel 22, 1 Sep 25 2002 stdout
crw-rw-rw- 1 root wheel 1, 0 Sep 25 2002 tty
crw-r--r-- 1 root wheel 2, 4 Sep 25 2002 urandom
crw-rw-rw- 1 root wheel 2, 12 Sep 25 2002 zero
Use MAKEDEV to do that under FreeBSD 4.x (Copy the original from
/dev/MAKEDEV). Under FreeBSD 5.x, set these devices up by editing
/etc/devd.conf -- see devd.conf(5).
Finally, if you want to log named(8) events via syslogd(8), you will
need to add to /etc/rc.conf:
syslogd_flags=3D"-ss -l /var/named/var/run/log"
and that is really just about it, bar the usual chores of editing
named.conf(5) and maintaining the various DNS zone data files.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--5QAgd0e35j3NYeGe
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD4DBQFADcJydtESqEQa7a0RAr9GAJ9k4JogmIU8uDptcS3MyZjIA49dBgCYuC+B
7o+gazdNqIkcdHcGXq/zLA==
=2P8h
-----END PGP SIGNATURE-----
--5QAgd0e35j3NYeGe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040121000610.GC70864>