From owner-freebsd-questions Fri Jan 24 5:18:35 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8ACF37B401 for ; Fri, 24 Jan 2003 05:18:28 -0800 (PST) Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEF7543F18 for ; Fri, 24 Jan 2003 05:18:22 -0800 (PST) (envelope-from nospam@hiltonbsd.com) Received: from [209.100.171.119] (helo=daggar.sbgnet.net) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 18c3im-0007nZ-00; Fri, 24 Jan 2003 07:18:14 -0600 Date: Fri, 24 Jan 2003 07:17:36 -0600 From: Stephen Hilton To: freebsd-questions@FreeBSD.ORG Cc: stanb@awod.com Subject: Re: How to cleanly remove bind before using bind9 Message-Id: <20030124071736.279f81e5.nospam@hiltonbsd.com> In-Reply-To: <20030124102644.GA23225@teddy.fas.com> References: <20030123232922.GA12051@teddy.fas.com> <20030123205008.0927e1c4.nospam@hiltonbsd.com> <20030124102644.GA23225@teddy.fas.com> X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 24 Jan 2003 05:26:44 -0500 stan wrote: > On Thu, Jan 23, 2003 at 08:50:08PM -0600, Stephen Hilton wrote: > > On Thu, 23 Jan 2003 18:29:22 -0500 > > stan wrote: > > > > > I want to use bind 9 from the ports tree. I see how to prevent the bundled > > > bind from being built the next time I make world, and I see how to change > > > the init files et all to use the ports bind9. > > > > > > What I _don't_ see (and I'm certain it's just my lack of knowledge here), > > > is a clean way to remove all teh traces of the existing bersion of bind > > > which was built the last time I did a make world. > > > > > > Could someone enlighten me? > > > > Stan, > > > > These files would be the most important ones to rename/remove: > > > > /usr/bin/dig > > /usr/bin/dnsquery > > /usr/bin/host > > /usr/bin/dnskeygen > > /usr/libexec/named-xfer > > /usr/sbin/named > > /usr/sbin/ndc > > /usr/sbin/nslookup > > /usr/sbin/nsupdate > > > Thanks, that's helpful. > > I was hopin thta I would be able to go somewhere in the source tree, and do > something like "make deinstll". But this list will let me do it by hand. > > Thanks, again. Stan, Thanks for the thank you, :-) One thing that I have not resolved is the issue with man pages. The Bind 9 docs are in HTML so that should be your main reference. /usr/local/share/doc/bind9/arm/Bv9ARM.html Also a very good idea is to run Bind 9 chroot , my /etc/rc.conf entry looks like this: named_flags="-u bind -t /var/chroot/named" # Flags for chrooted named And then this link should help with basic setup (the file list I provided is more up2date, the email is old so some files locations to rename/remove have changed for FreeBSD 4.7) http://groups.google.com/groups?q=chroot+bind+group:mailing.freebsd.*&start=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=aadvma%24ngg%241%40FreeBSD.csie.NCTU.edu.tw&rnum=12 ---------------------------snip------------------------------- CHROOT OVERVIEW What chroot essentially does is to create a "fake root" directory - from the perspective of the daemon, the whole file system is rooted at this "chroot" directory. Therefore the only files/directories the daemon can see, are those located within this directory. (In some ways this is not unlike the view of the filesystem given to ftp users when the default "ftp root" of an ftp server is set to something other than the "real" root directory.) FREEBSD DETAILS On FreeBSD, the default location for Bind's configuration files is /etc/namedb. Sometimes we also use a subdirectory /etc/namedb/s, this is used to create a "sandbox", which limits some of the access the named daemon has but not nearly as securely as using chroot. Bind9 now has a special feature which makes it a little easier to chroot, among other things eliminating the need to place shared libraries and other executables in the "chroot jail". Since Bind already exists in the base FreeBSD system, for thoroughness we should consider renaming the existing files in order to minimize confusion and mixed versions. Here is a list of files to consider renaming or removing: /usr/bin/dig /usr/bin/dnsquery /usr/bin/host /usr/libexec/dnskeygen /usr/libexec/named-xfer /usr/sbin/named /usr/sbin/ndc /usr/sbin/nslookup /usr/sbin/nsupdate For those who regularly rebuild their system from source, once you've installed an independent version of Bind it's best to configure your system to no longer build the version in the base system. This is done by adding the following entry to /etc/make.conf (if this file doesn't exist, just create it and add the following line - like rc.conf it only contains items which override default settings): NO_BIND= true We will move our configuration and other necessary files to /var/chroot/named, which will allow us to create logfiles within the chroot jail without filling up ie the / filesystem. Create the necessary directories and permissions: mkdir /var/chroot mkdir /var/chroot/named chown bind.bind /var/chroot/named chmod 750 /var/chroot/named cd /var/chroot/named mkdir etc mkdir etc/namedb mkdir var mkdir dev Create the special files and set permissions: cp -p /etc/localtime /var/chroot/named/etc cp -p /etc/syslog.conf /var/chroot/named/etc cd /var/chroot/named/dev mknod zero c 2 12 chmod 666 zero mknod random c 2 4 chmod 644 random mknod null c 2 2 chmod 666 null Create a chrooted syslog socket by adding or editing syslog parameters in /etc/rc.conf thusly: syslogd_flags="-s -l /var/chroot/named/dev/log" Build the distribution: - Extract the distribution into a suitable directory (I use /usr/local/src) - run ./configure and customize the destination paths if necessary. ./configure --sysconfdir=/etc/namedb Bear in mind that the "sysconfdir" is from the perspective of the chrooted daemon - thus make sure it is *relative* to the chrooted directory. Actually if you create a directory structure in the chrooted directory which is identical to the normal one as seen from /, you can leave all the path declarations at their defaults. I just chose to emulate the default named.conf location in FreeBSD. In my case the build process did not put any default files in /var/chroot/named/etc/namedb, so I copied the ones from the Bind8 installation in /etc/namedb: make-localhost, PROTO.localhost.rev, named.root. (make-localhost is used to create a localhost reverse zone) Setup rndc: rndc-confgen -a -t /var/chroot/named -u bind The above should create a rndc-key file under /etc and the chrooted configuration directory. Create rndc configuration strings: rndc-confgen >rndc.out Inside the file just created above are 2 clearly marked sections: one to place inside your named.conf file, and the other to form a new configuration file /etc/rndc.conf. If these files don't exist when Bind is started it will complain and exit. BIND9 CONFIGURATION DETAILS Most of Bind9 is similiar syntax-wise to Bind8, with a few notable exceptions. If you are customizing the logging parameters, bear in mind that Bind9 does not parse customized logging parameters immediately on startup. This means that regardless your customizations, startup messages will always go to the Bind default location. (syslog) Also the logging categories have changed, if you've customized the defaults don't forget to look at this. Check in section 6.2 of the Bind9 Administrators Reference Manual for complete details. Quick summary as of v9.2.0: Removed cname, db, eventlib, insists, load, maintenance, ncache, os, packet, panic, parser, response-checks, statistics New client, database, dispatch, dnssec, general, network, resolver, unmatched Remember that when you're running chrooted, logfiles need to be located somewhere under the chroot directory, and paths listed in named.conf are all relative to the chroot directory, not to the "real" root. Make sure the directories that Bind needs to write to (to backup zone files for secondary zones, and update the named.pid file) are writable to the user the daemon is running under. LAUNCHING THE DAEMON I prefer to stick with existing scripts so I can continue to use rc.conf to enable/disable Bind or modify launch parameters. To adapt it to our needs, make sure the following appears in rc.conf: named_enable="YES" named_program="/usr/local/sbin/named" named_flags="-u bind -t /var/chroot/named" (Bind9 has changed the meaning of the "-g" param, so make sure to remove it if it was there for Bind8. "-t" activates Bind9's special chroot feature.) Acknowledgements: Information on the necessary steps for this project was acquired from both ISC Bind documentation and certain posters on the comp.protocols.dns.bind newsgroup. In particular I want to acknowledge Will Yardley, Mark Andrews, Joseph Begumisa, "Exile" and Ralf Hildebrandt for his excellent piece on chrooting Bind on HP-UX 9/10 at http://www.stahl.bau.tu-bs.de/~hildeb/bind/. Bind9_FreeBSD_chroot.txt v0.9 2002-04-27 Phil Koenig ================================================= -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium ---------------------------snip------------------------------- Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message