From owner-freebsd-stable  Thu Feb  1 10:18:11 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 86BA137B67D
	for <stable@FreeBSD.ORG>; Thu,  1 Feb 2001 10:17:52 -0800 (PST)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id TAA31776;
	Thu, 1 Feb 2001 19:17:47 +0100 (CET)
	(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Stefan Molnar <stefan@csudsu.com>
Cc: Gordon Tetlow <gordont@bluemtn.net>,
	Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG>
Subject: Re: chrooting bind
References: <Pine.BSF.4.31.0102010954180.4036-100000@digital.csudsu.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 01 Feb 2001 19:17:46 +0100
In-Reply-To: Stefan Molnar's message of "Thu, 1 Feb 2001 10:05:00 -0800 (PST)"
Message-ID: <xzpsnlyuv1x.fsf@flood.ping.uio.no>
Lines: 30
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Stefan Molnar <stefan@csudsu.com> writes:
> Please explain.  I am running named with -t /var/named and I have to
> create a /dev entries, all the libs needed by named, etc.

There is no need for placing any device nodes in the sandbox.

Libraries can be avoided by linking named-xfer (which is the only
binary you need inside the sandbox) statically.

You will need /var/run and /var/tmp to exist in the sandbox and be
writeable for the bind user. You will also need a log socket in
${sandbox}/var/run; see the description of the -l option to syslogd in
the syslogd(8) man page.

You will probably want to symlink ${sandbox}/var/run/ndc to
/var/run/ndc so ndc still works without the -c option. You may want to
do the same thing with ${sandbox}/var/run/named.pid.

Ideally, everything in the sandbox except /var/run, /var/tmp and the
directory (or directories) in which you want bind to place slave zone
files and db dumps should be read-only and/or owned by a different
user.

You need to be aware of how the 'ndc restart' command works, and
possibly modify ndc to disable it, or write a wrapper for ndc, so that
you never accidentally run named outside the sandbox.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message