From owner-freebsd-bugs  Tue Oct 26  2:35:22 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from minotaur.sec.gnutec.com (cx25975-a.mrdn1.ct.home.com [24.2.166.4])
	by hub.freebsd.org (Postfix) with ESMTP id 1D1621532E
	for <bugs@freebsd.org>; Tue, 26 Oct 1999 02:35:16 -0700 (PDT)
	(envelope-from amonk@gnutec.com)
Received: by minotaur.sec.gnutec.com (MYOB) with ESMTP id FAA17107; Tue, 26 Oct 1999 05:35:15 -0400 (EDT)
Received: from localhost (amonk@localhost)
        by bogushost.gnutec.com (MYOB) with SMTP id FAA19569; Tue, 26 Oct 1999 05:35:14 -0400
Date: Tue, 26 Oct 1999 05:35:13 -0400 (EDT)
From: Kyle Amon <amonk@gnutec.com>
To: crowland@psionic.com
Subject: chroot'ing named
Message-ID: <Pine.LNX.3.96.991026051904.19383B-200000@labyrinth.sec.gnutec.com>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="279710465-961642931-940930513=:19383"
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--279710465-961642931-940930513=:19383
Content-Type: TEXT/PLAIN; charset=US-ASCII

Craig,

Here is some more fodder for your 'Securing DNS' page.  Attached is a
small script that performs the major steps to chroot'ing named under
FreeBSD.  Assuming the user isn't completely ignorant on the matter, it
pretty much handles everything needed.  I wrote it recently when setting
up four new nameservers for an ISP and wanted them to all be consistently
secure.  Anyway it sure made my life easier. :-)  Pass it around as you
like.

Also, FYI, in Step 5, number 2) of your Securing DNS (OpenBSD/FreeBSD
Version) page, it says that as of BIND 8.2.x one no longer need to edit
the ndc script.  While this is true, you might want to mention that in
order to have the new ndc binary work in a chrooted environment, one needs
to change the path to the ndc socket so that it points to the correct
location in the jail and recompile ndc or it still won't work.  This
script takes care of that as well.

One more thing.  This script presumes the use of (something like)

   dump-file "/var/tmp/named_dump.db";"

in the global options section of named.conf in order to  make the SIGFOOs
work as expected.

Later,

Kyle

Kyle Amon                     email: amonk@gnutec.com
                              url:   http://www.gnutec.com/~amonk
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A  4B BC B5 B4 12 F0 D3 1A
  
"If it is true that users would rather spend money and get a product
with service, they will also be willing to buy the service having got
the product free. The service companies will compete in quality and
price; users will not be tied to any particular one. Meanwhile, those
of us who don't need the service should be able to use the program
without paying for the service." 
  
                              - Richard Stallman
                                The GNU Manifesto, 1985
  
   Petition to Microsoft Corporation for Open Source Consumer Windows!
        http://www.linuxresources.com/linuxreview/petition.html

--279710465-961642931-940930513=:19383
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=chroot-bind
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.991026053513.19383C@labyrinth.sec.gnutec.com>
Content-Description: 

IyEvYmluL3NoDQojDQojIEt5bGUgQW1vbg0KIyBHTlVURUMgSW5mb3JtYXRp
b24gVGVjaG5vbG9neSBTb2x1dGlvbnMNCiMgaHR0cDovL3d3dy5nbnV0ZWMu
Y29tLw0KIyBhbW9ua0BnbnV0ZWMuY29tDQojIDIwMy02NjgtVU5JWA0KIw0K
IyBBdXRvbWF0ZSB0aGUgc3RlcHMgbmVjZXNzYXJ5IHRvIHNldCB1cCBCSU5E
IGluIGEgY2hyb290KDIpIGphaWwgb24NCiMgRnJlZUJTRCAzLjMgc3lzdGVt
cy4NCg0KIw0KIyBXaGF0IHRoZSBoZWxsLCBhIGxpdHRsZSBzYW5pdHkNCiMN
Cg0KaWYgWyAiYHVuYW1lIC1zcmAiICE9ICJGcmVlQlNEIDMuMy1SRUxFQVNF
IiBdIDsgdGhlbg0KICAgZWNobyAiV2hvYSEgVGhpcyBzY3JpcHQgd2FzIHdy
aXR0ZW4gZm9yIEZyZWVCU0QgMy4zIGFuZCB5b3VyIHN5c3RlbSINCiAgIGVj
aG8gImFwcGVhcnMgdG8gYmUgYHVuYW1lIC1zcmAuICBCZWZvcmUgcnVubmlu
ZyBpdCwgbWFrZSBzdXJlIg0KICAgZWNobyAiaXQgd2lsbCBiZWhhdmUgYXMg
ZXhwZWN0ZWQgb24geW91ciBzeXN0ZW0gb3IgeW91IG1heSBiZSBzb3JyeS4i
DQogICBlY2hvICJKdXN0IGVkaXQgdGhlIHNjcmlwdCBhcyBuZWVkZWQuICBJ
bXByb3ZlIGl0IGlmIHlvdSBsaWtlLiINCiAgIGV4aXQgMQ0KZmkNCg0KIw0K
IyBNYWtlIHN0YXRpYyBiaW5hcmllcw0KIw0KDQpjZCAvdXNyL3BvcnRzL25l
dC9iaW5kOA0KbWFrZSBpbnN0YWxsDQpybSB3b3JrL3NyYy9iaW4vbmFtZWQv
bmFtZWQNCnJtIHdvcmsvc3JjL2Jpbi9uYW1lZC14ZmVyL25hbWVkLXhmZXIN
CnJtIHdvcmsvc3JjL2Jpbi9uZGMvbmRjDQpybSB3b3JrL3NyYy9iaW4vbmRj
L25kYy5vDQpzZWQgJ3MvQ0RFQlVHPS1PMi9DREVCVUc9LU8yIC1zdGF0aWMv
Zycgd29yay9zcmMvLnNldHRpbmdzID4gL3RtcC8uc2V0dGluZ3MudG1wDQpt
diAvdG1wLy5zZXR0aW5ncy50bXAgd29yay9zcmMvLnNldHRpbmdzDQpzZWQg
J3MvXC92YXJcL3J1blwvbmRjL1wvZXRjXC9uYW1lZGJcL3ZhclwvcnVuXC9u
ZGMvZycgd29yay9zcmMvYmluL25kYy9wYXRobmFtZXMuaCA+IC90bXAvcGF0
aG5hbWVzLmgudGVtcA0KbXYgL3RtcC9wYXRobmFtZXMuaC50ZW1wIHdvcmsv
c3JjL2Jpbi9uZGMvcGF0aG5hbWVzLmgNCmNkIHdvcmsvc3JjDQptYWtlDQoN
CiMNCiMgQ3JlYXRlIGNocm9vdCBqYWlsDQojDQoNCmNobW9kIDI3NTAgL2V0
Yy9uYW1lZGINCg0KbWtkaXIgLW0gMjc1MCAvZXRjL25hbWVkYi9kZXYNCm1r
ZGlyIC1tIDI3NTAgL2V0Yy9uYW1lZGIvZXRjDQpta2RpciAtbSAyNzUwIC1w
IC9ldGMvbmFtZWRiL3Vzci9sb2NhbC9saWJleGVjDQpta2RpciAtbSAyNzcw
IC1wIC9ldGMvbmFtZWRiL3Zhci9ydW4NCm1rZGlyIC1tIDI3NzAgL2V0Yy9u
YW1lZGIvdmFyL2xvZw0KbWtkaXIgLW0gMjc3MCAvZXRjL25hbWVkYi92YXIv
dG1wDQpta2RpciAtbSAyNzUwIC9ldGMvbmFtZWRiL3B6DQpta2RpciAtbSAy
NzcwIC9ldGMvbmFtZWRiL3N6DQpta2RpciAtbSAyNzcwIC9ldGMvbmFtZWRi
L3N0dWJ6DQoNCmNobW9kIDI3NTAgL2V0Yy9uYW1lZGIvdXNyDQpjaG1vZCAy
NzUwIC9ldGMvbmFtZWRiL3Vzci9sb2NhbA0KY2htb2QgMjc1MCAvZXRjL25h
bWVkYi92YXINCmNob3duIC1SIHJvb3QuYmluZCAvZXRjL25hbWVkYg0KDQoj
DQojIENvcHkgc3RhdGljbHkgbGlua2VkIGJpbmFyaWVzIGludG8gY2hyb290
IGphaWwNCiMNCg0KY2QgL3Vzci9wb3J0cy9uZXQvYmluZDgNCmNwIHdvcmsv
c3JjL2Jpbi9uYW1lZC9uYW1lZCAvZXRjL25hbWVkYg0KY3Agd29yay9zcmMv
YmluL25hbWVkLXhmZXIvbmFtZWQteGZlciAvZXRjL25hbWVkYi91c3IvbG9j
YWwvbGliZXhlYw0KY3Agd29yay9zcmMvYmluL25kYy9uZGMgL3Vzci9sb2Nh
bC9zYmluL25kYw0KDQojDQojIENvcHkvY3JlYXRlIHJlbWFpbmluZyBmaWxl
cyBuZWNlc3NhcnkgZm9yIHRoZSBjaHJvb3QgamFpbA0KIw0KDQpjcCAvZXRj
L2xvY2FsdGltZSAvZXRjL25hbWVkYi9ldGMNCm1rbm9kIC9ldGMvbmFtZWRi
L2Rldi9udWxsIGMgMiAyIDsgY2htb2QgNjY2IC9ldGMvbmFtZWRiL2Rldi9u
dWxsDQoNCiMNCiMgTWFzc2FnZSBpbml0aWFsaXphdGlvbiBmaWxlcyBpbnRv
IHNoYXBlDQojDQoNCnJjPS9ldGMvcmMuY29uZg0KZWNobyAiIiA+PiAkcmMN
CmVjaG8gIiMgLS0gZ2VuZXJhdGVkIHdpdGggY2hyb290LWJpbmQgZm9yIEZy
ZWVCU0QgIC0tICMiID4+ICRyYw0KZWNobyAiIyAtLSBieSBLeWxlIEFtb24g
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gIyIgPj4gJHJjDQplY2hv
ICIjIC0tIEdOVVRFQyBJbmZvcm1hdGlvbiBUZWNobm9sb2d5IFNvbHV0aW9u
cyAtLSAjIiA+PiAkcmMNCmVjaG8gIiMgLS0gaHR0cDovL3d3dy5nbnV0ZWMu
Y29tLyAgICAgICAgICAgICAgICAgIC0tICMiID4+ICRyYw0KZWNobyAiIyAt
LSBhbW9ua0BnbnV0ZWMuY29tICAgICAgICAgICAgICAgICAgICAgICAgLS0g
IyIgPj4gJHJjDQplY2hvICIjIC0tIDIwMy02NjgtVU5JWCAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAtLSAjIiA+PiAkcmMNCmVjaG8gJ25hbWVkX2Vu
YWJsZT0iWUVTIicgPj4gJHJjIA0KZWNobyAnbmFtZWRfcHJvZ3JhbT0iL2V0
Yy9uYW1lZGIvbmFtZWQiJyA+PiAkcmMNCmVjaG8gJ25hbWVkX2ZsYWdzPSIt
dCAvZXRjL25hbWVkYiAtdSBiaW5kIC1nIGJpbmQgbmFtZWQuY29uZiInID4+
ICRyYw0KZWNobyAnc3lzbG9nZF9mbGFncz0iLXNzIC1sIC9ldGMvbmFtZWRi
L2Rldi9sb2ciJyA+PiAkcmMNCmVjaG8gIiIgPj4gJHJjDQoNCiMNCiMgRGlz
YWJsZSBvcmlnaW5hbCBuYW1lZA0KIw0KDQpjaG1vZCAwMDAgL3Vzci9zYmlu
L25hbWVkDQpjaG1vZCAwMDAgL3Vzci9sb2NhbC9zYmluL25hbWVkDQpjaG1v
ZCAwMDAgL3Vzci9zYmluL25kYw0K
--279710465-961642931-940930513=:19383--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message