From owner-freebsd-doc Wed Aug 22 14:34:13 2001 Delivered-To: freebsd-doc@freebsd.org Received: from mail.wrs.com (unknown-1-11.windriver.com [147.11.1.11]) by hub.freebsd.org (Postfix) with ESMTP id 7B9FE37B443 for ; Wed, 22 Aug 2001 14:33:45 -0700 (PDT) (envelope-from chern.lee@windriver.com) Received: from ALA-ROTESPITZE.windriver.com (ala-rotespitze [147.11.46.45]) by mail.wrs.com (8.9.3/8.9.1) with ESMTP id OAA28740; Wed, 22 Aug 2001 14:33:36 -0700 (PDT) Message-Id: <5.0.2.1.2.20010822143059.020140b8@mail.windriver.com> X-Sender: chern@mail.windriver.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 22 Aug 2001 14:34:34 -0700 To: setantae From: Chern Lee Subject: Re: chroot'ing named(8) Cc: freebsd-doc@freebsd.org In-Reply-To: <20010817122514.A11760@rhadamanth> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There's already a section on running a chroot named in the Advanced Networking/DNS/Running named in a sandbox section. Take a look at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX If you have any suggestions as to updating/enhancing its content, feel free to do so and submit a unified diff. Or if you don't want to bother messing with DocBook, make the text changes and submit it to me. Thanks for the input. - chern At 12:25 PM 8/17/2001 +0100, you wrote: >I had meant to cc this to -doc (just posted to -questions). > > Original mail : > >I've been fighting with setting up named to run in a sandbox on FreeBSD >this morning and I've found that it's non-trivial on FreeBSD. >Yes, you can get there if you know which manpages to read, but I'm >thinking of new users here. > >This is what I've had to do so far : > >1) /etc/namedb is not populated with var/run, var/tmp, dev/null by default. > >2) I have also had to add ``-l /etc/namedb/dev/log" to syslogd_flags - this > isn't suggested in the Handbook. > >3) I've had to compile a static copy of named-xfer to install in /etc/namedb - > this also is not documented in the Handbook (it's not even suggested that > you'll need a copy in the sandbox). > I'm also concerned that I'll need to do this now everytime a change is > made to the source tree in src/contrib/bind. > >4) I don't like the fact that it's in /etc by default. > Assume I was secondarying several thousand zones - space on / is an issue. > (Yes, I know I can change this). > >I think at least that the Handbook needs to be looked at (I'm willing to do >this but it'll be in ascii as I'm still learning DocBook and will take a few >days as I have visitors this weekend). > >Also, I think the entire issue of running named in a chroot environment needs >to be made easier - setting this up on OpenBSD _is_ trivial. > >I feel I've only been able to get this successfully set up because I've done >it before on other systems - it would be good if this could be made easier in >the way that OpenBSD have achieved this. >I'm not necessarily suggesting that named is run in a chroot environment by >default, but setting it up to do so could be made a lot easier. > >Any comments are welcome (even if they're just ``Stop moaning''). > >Ceri > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-doc" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message