From owner-freebsd-questions  Sun Jul 14 12:12:14 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 17D2137B506
	for <freebsd-questions@FreeBSD.ORG>; Sun, 14 Jul 2002 12:12:06 -0700 (PDT)
Received: from dns.perimeter.co.za (dns.perimeter.co.za [196.25.164.254])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 50A9043E6A
	for <freebsd-questions@FreeBSD.ORG>; Sun, 14 Jul 2002 12:12:01 -0700 (PDT)
	(envelope-from bsd@perimeter.co.za)
Received: from getafix.perimeter.co.za (ndf-dial-196-30-127-58.mweb.co.za [196.30.127.58])
	by dns.perimeter.co.za (8.11.1/8.11.1) with ESMTP id g6EJAQT95262;
	Sun, 14 Jul 2002 21:10:27 +0200 (SAST)
	(envelope-from bsd@perimeter.co.za)
Content-Type: text/plain;
  charset="iso-8859-1"
From: "Patrick O'Reilly" <bsd@perimeter.co.za>
Reply-To: bsd@perimeter.co.za
Organization: Perimeter Networks CC
To: Steve Wingate <steve@velosystems.net>, sroberts@dsl.pipex.com
Subject: Re: [Fwd: RE: Cannot start bind in sandbox?]
Date: Sun, 14 Jul 2002 21:19:41 +0200
User-Agent: KMail/1.4.2
Cc: Ruben de Groot <fbsd-q@bzerk.org>,
	FreeBSD-Questions <freebsd-questions@FreeBSD.ORG>
References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <1026654446.97896.72.camel@Demon.vickiandstacey.com> <1026666796.77988.11.camel@daemon.velosystems.net>
In-Reply-To: <1026666796.77988.11.camel@daemon.velosystems.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200207142119.41417.bsd@perimeter.co.za>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sunday 14 July 2002 19:13, Steve Wingate wrote:
> If you're reading this link for sandboxing BIND this is as standard
> as it gets.
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html
>
>
> From what I've read from you it appears you haven't done everything
> these steps tell you to do.
>

I must concur with Steve.

Just yesterday I set up bind in it's own little sandbox.  I did it by=20
following the instructions in the link Steve quoted above.  It works=20
just fine!

OK - I stumbled over one tiny problem.  when building the statically=20
linked 'named-xfer', the Handbook concludes with :
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
But the newly built 'named-xfer' is not in the current directory.  A=20
tiny bit of lateral thinking prompted me to look in /usr/obj`pwd` - and=20
there it was - nice and fresh!

I actually built myself a script as I went along, because I intend doing=20
this again in future without always reading the manual.  It's brand=20
new, so please forgive the rough edges.  And I have changed a couple of=20
things to suit my personal taste and setup.  Here's my script:
(Beware line wrap in the mailer)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
#!/usr/local/bin/bash

cd /etc/namedb
mkdir -p usr/libexec dev etc var/tmp var/run master slave
chown bind:bind slave var/*
cp /etc/localtime etc
[ -L named.conf ] || mv named.conf etc && ln -sf etc/named.conf
[ -f named.root ] && mv named.root master/FWD_root
# I'm not interested in ipv6, so I dump it
sh make-localhost && mv localhost.rev master/REV_localhost && rm=20
localhost-v6.rev
echo "
$ORIGIN localhost.
$TTL 6h
@       IN SOA localhost. postmaster.localhost. (
        1       ; serial
        3600    ; refresh
        1800    ; retry
        604800  ; expiration
        3600 )  ; minimum
        IN NS   localhost.
        IN A    127.0.0.1
" > master/FWD_localhost

cd /usr/src/lib/libisc         && make clean all
cd /usr/src/lib/libbinf        && make clean all
cd /usr/src/libexec/named-xfer && make NOSHARED=3Dyes clean all
cp /usr/obj/usr/src/libexec/named-xfer/named-xfer=20
/etc/namedb/usr/libexec && chmod 555 /etc/namedb/usr/libexec/named-xfer

cd /etc/namedb
if [ ! -c dev/null ]
then
  cd /etc/namedb/dev
  mknod null c 2 2
  chmod 666 null
  cd /etc/namedb
fi

[ -L /var/run/ndc ] || ln -sf /etc/namedb/var/run/ndc /var/run/ndc

echo "
# These three lines added by ${0}
# named_enable=3D\"YES\"
# named_flags=3D\"-u bind -g bind -t /etc/namedb /etc/named.conf\"
# syslogd_flags=3D\"-ss -l /etc/namedb/dev/log\"
" >> /etc/rc.conf

echo "
***
Remember edit /etc/rc.conf and sort out the three lines I\'ve added!
***
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

HTH :)

--=20
Regards,
Patrick O'Reilly.
Perimeter Networks CC.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message