From owner-cvs-all Thu Aug 23 10: 8: 1 2001 Delivered-To: cvs-all@freebsd.org Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9E4CF37B409; Thu, 23 Aug 2001 10:07:46 -0700 (PDT) (envelope-from green@green.bikeshed.org) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.4/8.11.1) with ESMTP id f7NH7dG14247; Thu, 23 Aug 2001 13:07:39 -0400 (EDT) (envelope-from green@green.bikeshed.org) Message-Id: <200108231707.f7NH7dG14247@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Matt Dillon Cc: "Andrey A. Chernov" , Brian Somers , Jun Kuriyama , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf In-Reply-To: Your message of "Thu, 23 Aug 2001 09:45:34 PDT." <200108231645.f7NGjYe86993@earth.backplane.com> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 23 Aug 2001 13:07:38 -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Matt Dillon wrote: > > I like the idea of, finally, invoking named in a sandbox. I don't > understand why the pidfile location has to change, though. named > creates its pidfile as root before it setuid's itself. > > While it is true that named cannot rescan interfaces when operating > in this mode, this restriction has never been an impediment to anything > I've ever done with it. Most dialup users don't run named, they simply > allow ppp to setup /etc/resolv.conf for them. Those who do will be savvy > enough to add the appropriate override to /etc/rc.conf (or won't have to > if they don't bother to mergemaster the new default rc files). > > I know it isn't a perfect solution, but we *REALLY* need to secure > named this time around. It is years past the time we should have done > it. For what it's worth, here's how I configure named on the computers I run. Not that it's the best way, but it's definitely very reasonable for a default if nothing else. In rc.conf I use: syslogd_flags="-s -l /etc/namedb/var/run/log" # Flags to syslogd (if enabled). named_flags="-u daemon -g daemon -t /etc/namedb -c named.conf" named.conf: logging { channel to_syslog { syslog daemon; }; category default { to_syslog; }; category panic { to_syslog; }; }; options { directory "/"; // chrooted into /etc/namedb }; /etc/namedb: -rw-r--r-- 1 root wheel 423 Feb 26 2000 PROTO.localhost.rev -rw-r--r-- 1 root wheel 457 Oct 13 2000 localhost.rev -rw-r--r-- 1 root wheel 843 Dec 10 2000 make-localhost -rw-r--r-- 1 root wheel 2647 Oct 21 1997 named.boot -rw-r--r-- 1 root wheel 3592 Mar 29 10:17 named.conf -rw-r--r-- 1 root wheel 2843 Feb 26 2000 named.root drwxr-xr-x 4 root wheel 512 Nov 12 2000 var /etc/namedb/var: total 2 drwxr-xr-x 2 root wheel 512 Nov 12 2000 log drwxr-xr-x 2 root wheel 512 Aug 22 23:06 run /etc/namedb/var/log: /etc/namedb/var/run: total 1 srw-rw-rw- 1 root wheel 0 Aug 22 23:06 log -rw-r--r-- 1 daemon daemon 4 Aug 22 23:06 named.pid srw------- 1 root wheel 0 Aug 22 23:06 ndc -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message