From owner-freebsd-questions Fri Aug 17 4:28:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by hub.freebsd.org (Postfix) with ESMTP id B64B037B40A for ; Fri, 17 Aug 2001 04:28:21 -0700 (PDT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 3.32 #4) id 15XhnE-0005J9-00 for freebsd-questions@FreeBSD.org; Fri, 17 Aug 2001 14:28:00 +0300 Date: Fri, 17 Aug 2001 14:28:00 +0300 From: Odhiambo Washington To: freebsd-questions@FreeBSD.org Subject: Re: chroot'ing named(8) Message-ID: <20010817142800.C4803@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-questions@FreeBSD.org References: <20010817122110.A11537@rhadamanth> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20010817122110.A11537@rhadamanth> User-Agent: Mutt/1.3.19i X-Disclaimer: My opinions do not necessarily represent those of my employer. X-Operating-System: FreeBSD 4.3-STABLE i386 X-Mailer: Mutt http://www.mutt.org/ X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. X-Uptime: 2:23PM up 6 days, 23:53, 4 users, load averages: 0.17, 0.16, 0.12 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * setantae [20010817 14:20]: writing on the subjec= t 'chroot'ing named(8)' setantae>=20 setantae> I've been fighting with setting up named to run in a sandbox on F= reeBSD setantae> this morning and I've found that it's non-trivial on FreeBSD. setantae> Yes, you can get there if you know which manpages to read, but I'm setantae> thinking of new users here. setantae>=20 setantae> This is what I've had to do so far : setantae>=20 setantae> 1) /etc/namedb is not populated with var/run, var/tmp, dev/null b= y default. setantae>=20 setantae> 2) I have also had to add ``-l /etc/namedb/dev/log" to syslogd_fl= ags - this setantae> isn't suggested in the Handbook. setantae>=20 setantae> 3) I've had to compile a static copy of named-xfer to install in = /etc/namedb - setantae> this also is not documented in the Handbook (it's not even sug= gested that setantae> you'll need a copy in the sandbox). setantae> I'm also concerned that I'll need to do this now everytime a c= hange is setantae> made to the source tree in src/contrib/bind. setantae>=20 setantae> 4) I don't like the fact that it's in /etc by default. setantae> Assume I was secondarying several thousand zones - space on / = is an issue. setantae> (Yes, I know I can change this). setantae>=20 setantae> I think at least that the Handbook needs to be looked at (I'm wil= ling to do setantae> this but it'll be in ascii as I'm still learning DocBook and will= take a few setantae> days as I have visitors this weekend). setantae>=20 setantae> Also, I think the entire issue of running named in a chroot envir= onment needs setantae> to be made easier - setting this up on OpenBSD _is_ trivial. setantae>=20 setantae> I feel I've only been able to get this successfully set up becaus= e I've done setantae> it before on other systems - it would be good if this could be ma= de easier in setantae> the way that OpenBSD have achieved this. setantae> I'm not necessarily suggesting that named is run in a chroot envi= ronment by setantae> default, but setting it up to do so could be made a lot easier. setantae>=20 setantae> Any comments are welcome (even if they're just ``Stop moaning''). setantae>=20 setantae> Ceri Hello Ceri, I give you all my support on your suggestions even though I don't know how easy it is to achieve the same on OpenBSD because I've never had the time to try my hands on that OS.=20 However, I am sure some people here would suggest that you look at a jail-ed named as a short cut to all the steps you went through making it run in a sandbox. I'll count myself lucky that I've not had an incident of named being compromised even though I don't run it in a sandbox. -Wash -- Odhiambo Washington Wananchi Online Ltd., wash@wananchi.com 1st Flr Loita Hse. Tel: 254 2 313985 Loita Street., Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE. Follow effective action with quiet reflection. From the quiet reflection wi= ll=20 come even more effective action.=20 -James Levin=20 --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fP/An7LIsuxjem8RApbQAKCID6i9KHNA7QUl335ArauRo2401gCfWl3+ h5p8Rs4kFL5AzWWSQTswk34= =cJHx -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message