From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 16:06:22 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F015716A4CE for ; Tue, 20 Jan 2004 16:06:22 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDDC943D2F for ; Tue, 20 Jan 2004 16:06:16 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i0L06Ase014679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Jan 2004 00:06:10 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i0L06Acc014678; Wed, 21 Jan 2004 00:06:10 GMT (envelope-from matthew) Date: Wed, 21 Jan 2004 00:06:10 +0000 From: Matthew Seaman To: Robert Fitzpatrick Message-ID: <20040121000610.GC70864@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Robert Fitzpatrick , FreeBSD References: <1074636256.2504.24.camel@columbus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5QAgd0e35j3NYeGe" Content-Disposition: inline In-Reply-To: <1074636256.2504.24.camel@columbus> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.62 X-Spam-Checker-Version: SpamAssassin 2.62 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: FreeBSD Subject: Re: BIND in chroot jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 00:06:23 -0000 --5QAgd0e35j3NYeGe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 20, 2004 at 05:04:16PM -0500, Robert Fitzpatrick wrote: > I see the bind user is defined as BIND Sandbox, does this mean the > default port install of bind9 sets bind up in a chroot jail? No -- all that means is that named(8) runs as a non-privileged user by default. However, running Bind9 in a chroot jail is really quite easy. First of all, with Bind9, there's no need to install the software under the chroot path. Just install the Bind9 port as normal. Add the following (mutatis mutandem) to your /etc/rc.conf to make named(8) from Bind9 start up and chroot itself: named_enable=3D"YES" named_flags=3D"-c /etc/namedb/named.conf -u bind -t /var/named" named_program=3D"/usr/local/sbin/named" That chroots named(8) under /var/named -- so the named.conf file referred to is actually /var/named/etc/named/named.conf -- you'll also want a named.root file in /var/named/etc/namedb which you can copy =66rom /etc/namedb. Now set up the chroot area. You need to create directories: drwxr-xr-x root wheel /var/named drwxr-xr-x root wheel /var/named/var drwxr-xr-x bind bind /var/named/var/run drwxr-xr-x root wheel /var/named/etc drwxr-xr-x root wheel /var/named/etc/namedb drwxr-xr-x root wheel /var/named/etc/namedb/p [Optional] drwxr-xr-x bind bind /var/named/etc/namedb/s [Optional] drwxr-xr-x bind bind /var/named/etc/namedb/dump [Optional] drwxr-xr-x root wheel /var/named/dev The directories I've marked optional are set up in my named.conf as the locations for: 'p' -- zone files which this is the master for, 's' -- zone files this server is a secondary for and 'dump' -- the default location to dump named cache and statistics. Copy the configuration files previously mentioned into place in /var/named/etc/namedb. Additionally you will need to: cp /etc/localtime /var/named/etc/localtime and you will need to set up the following character devices: -r-xr-xr-x 1 root wheel 44235 Sep 25 2002 MAKEDEV* [FBSD 4.x o= nly] crw-rw-rw- 1 root wheel 2, 2 Sep 25 2002 null crw-r--r-- 1 root wheel 2, 3 Sep 25 2002 random crw-rw-rw- 1 root wheel 22, 2 Sep 25 2002 stderr crw-rw-rw- 1 root wheel 22, 0 Sep 25 2002 stdin crw-rw-rw- 1 root wheel 22, 1 Sep 25 2002 stdout crw-rw-rw- 1 root wheel 1, 0 Sep 25 2002 tty crw-r--r-- 1 root wheel 2, 4 Sep 25 2002 urandom crw-rw-rw- 1 root wheel 2, 12 Sep 25 2002 zero Use MAKEDEV to do that under FreeBSD 4.x (Copy the original from /dev/MAKEDEV). Under FreeBSD 5.x, set these devices up by editing /etc/devd.conf -- see devd.conf(5). Finally, if you want to log named(8) events via syslogd(8), you will need to add to /etc/rc.conf: syslogd_flags=3D"-ss -l /var/named/var/run/log" and that is really just about it, bar the usual chores of editing named.conf(5) and maintaining the various DNS zone data files. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --5QAgd0e35j3NYeGe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD4DBQFADcJydtESqEQa7a0RAr9GAJ9k4JogmIU8uDptcS3MyZjIA49dBgCYuC+B 7o+gazdNqIkcdHcGXq/zLA== =2P8h -----END PGP SIGNATURE----- --5QAgd0e35j3NYeGe--