Date: Fri, 17 Aug 2001 14:28:00 +0300 From: Odhiambo Washington <wash@wananchi.com> To: freebsd-questions@FreeBSD.org Subject: Re: chroot'ing named(8) Message-ID: <20010817142800.C4803@ns2.wananchi.com> In-Reply-To: <20010817122110.A11537@rhadamanth> References: <20010817122110.A11537@rhadamanth>
next in thread | previous in thread | raw e-mail | index | archive | help
--pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * setantae <setantae@submonkey.net> [20010817 14:20]: writing on the subjec= t 'chroot'ing named(8)' setantae>=20 setantae> I've been fighting with setting up named to run in a sandbox on F= reeBSD setantae> this morning and I've found that it's non-trivial on FreeBSD. setantae> Yes, you can get there if you know which manpages to read, but I'm setantae> thinking of new users here. setantae>=20 setantae> This is what I've had to do so far : setantae>=20 setantae> 1) /etc/namedb is not populated with var/run, var/tmp, dev/null b= y default. setantae>=20 setantae> 2) I have also had to add ``-l /etc/namedb/dev/log" to syslogd_fl= ags - this setantae> isn't suggested in the Handbook. setantae>=20 setantae> 3) I've had to compile a static copy of named-xfer to install in = /etc/namedb - setantae> this also is not documented in the Handbook (it's not even sug= gested that setantae> you'll need a copy in the sandbox). setantae> I'm also concerned that I'll need to do this now everytime a c= hange is setantae> made to the source tree in src/contrib/bind. setantae>=20 setantae> 4) I don't like the fact that it's in /etc by default. setantae> Assume I was secondarying several thousand zones - space on / = is an issue. setantae> (Yes, I know I can change this). setantae>=20 setantae> I think at least that the Handbook needs to be looked at (I'm wil= ling to do setantae> this but it'll be in ascii as I'm still learning DocBook and will= take a few setantae> days as I have visitors this weekend). setantae>=20 setantae> Also, I think the entire issue of running named in a chroot envir= onment needs setantae> to be made easier - setting this up on OpenBSD _is_ trivial. setantae>=20 setantae> I feel I've only been able to get this successfully set up becaus= e I've done setantae> it before on other systems - it would be good if this could be ma= de easier in setantae> the way that OpenBSD have achieved this. setantae> I'm not necessarily suggesting that named is run in a chroot envi= ronment by setantae> default, but setting it up to do so could be made a lot easier. setantae>=20 setantae> Any comments are welcome (even if they're just ``Stop moaning''). setantae>=20 setantae> Ceri Hello Ceri, I give you all my support on your suggestions even though I don't know how easy it is to achieve the same on OpenBSD because I've never had the time to try my hands on that OS.=20 However, I am sure some people here would suggest that you look at a jail-ed named as a short cut to all the steps you went through making it run in a sandbox. I'll count myself lucky that I've not had an incident of named being compromised even though I don't run it in a sandbox. -Wash -- Odhiambo Washington Wananchi Online Ltd., wash@wananchi.com 1st Flr Loita Hse. Tel: 254 2 313985 Loita Street., Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE. Follow effective action with quiet reflection. From the quiet reflection wi= ll=20 come even more effective action.=20 -James Levin=20 --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fP/An7LIsuxjem8RApbQAKCID6i9KHNA7QUl335ArauRo2401gCfWl3+ h5p8Rs4kFL5AzWWSQTswk34= =cJHx -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010817142800.C4803>