Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Aug 2001 14:28:00 +0300
From:      Odhiambo Washington <wash@wananchi.com>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: chroot'ing named(8)
Message-ID:  <20010817142800.C4803@ns2.wananchi.com>
In-Reply-To: <20010817122110.A11537@rhadamanth>
References:  <20010817122110.A11537@rhadamanth>

next in thread | previous in thread | raw e-mail | index | archive | help

--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* setantae <setantae@submonkey.net> [20010817 14:20]: writing on the subjec=
t 'chroot'ing named(8)'
setantae>=20
setantae> I've been fighting with setting up named to run in a sandbox on F=
reeBSD
setantae> this morning and I've found that it's non-trivial on FreeBSD.
setantae> Yes, you can get there if you know which manpages to read, but I'm
setantae> thinking of new users here.
setantae>=20
setantae> This is what I've had to do so far :
setantae>=20
setantae> 1) /etc/namedb is not populated with var/run, var/tmp, dev/null b=
y default.
setantae>=20
setantae> 2) I have also had to add ``-l /etc/namedb/dev/log" to syslogd_fl=
ags - this
setantae>    isn't suggested in the Handbook.
setantae>=20
setantae> 3) I've had to compile a static copy of named-xfer to install in =
/etc/namedb -
setantae>    this also is not documented in the Handbook (it's not even sug=
gested that
setantae>    you'll need a copy in the sandbox).
setantae>    I'm also concerned that I'll need to do this now everytime a c=
hange is
setantae>    made to the source tree in src/contrib/bind.
setantae>=20
setantae> 4) I don't like the fact that it's in /etc by default.
setantae>    Assume I was secondarying several thousand zones - space on / =
is an issue.
setantae>    (Yes, I know I can change this).
setantae>=20
setantae> I think at least that the Handbook needs to be looked at (I'm wil=
ling to do
setantae> this but it'll be in ascii as I'm still learning DocBook and will=
 take a few
setantae> days as I have visitors this weekend).
setantae>=20
setantae> Also, I think the entire issue of running named in a chroot envir=
onment needs
setantae> to be made easier - setting this up on OpenBSD _is_ trivial.
setantae>=20
setantae> I feel I've only been able to get this successfully set up becaus=
e I've done
setantae> it before on other systems - it would be good if this could be ma=
de easier in
setantae> the way that OpenBSD have achieved this.
setantae> I'm not necessarily suggesting that named is run in a chroot envi=
ronment by
setantae> default, but setting it up to do so could be made a lot easier.
setantae>=20
setantae> Any comments are welcome (even if they're just ``Stop moaning'').
setantae>=20
setantae> Ceri

Hello Ceri,

I give you all my support on your suggestions even though I don't know how
easy it is to achieve the same on OpenBSD because I've never had the time
to try my hands on that OS.=20
However, I am sure some people here would suggest that you look at a
jail-ed named as a short cut to all the steps you went through making it
run in a sandbox. I'll count myself lucky that I've not had an incident of
named being compromised even though I don't run it in a sandbox.



-Wash

--
Odhiambo Washington
Wananchi Online Ltd.,
wash@wananchi.com 1st Flr Loita Hse.
Tel: 254 2 313985 Loita Street.,
Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.

Follow effective action with quiet reflection. From the quiet reflection wi=
ll=20
come even more effective action.=20
-James Levin=20

--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7fP/An7LIsuxjem8RApbQAKCID6i9KHNA7QUl335ArauRo2401gCfWl3+
h5p8Rs4kFL5AzWWSQTswk34=
=cJHx
-----END PGP SIGNATURE-----

--pWyiEgJYm5f9v55/--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010817142800.C4803>