From owner-freebsd-stable  Thu Feb  1 10:24:56 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from digital.csudsu.com (digital.csudsu.com [209.249.57.102])
	by hub.freebsd.org (Postfix) with ESMTP id 4C4B137B4EC
	for <stable@FreeBSD.ORG>; Thu,  1 Feb 2001 10:24:35 -0800 (PST)
Received: by digital.csudsu.com (Postfix, from userid 1000)
	id 98EBE22E01; Thu,  1 Feb 2001 10:26:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by digital.csudsu.com (Postfix) with ESMTP
	id 875BF1F001; Thu,  1 Feb 2001 10:26:44 -0800 (PST)
Date: Thu, 1 Feb 2001 10:26:44 -0800 (PST)
From: Stefan Molnar <stefan@csudsu.com>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Gordon Tetlow <gordont@bluemtn.net>,
	Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG>
Subject: Re: chrooting bind
In-Reply-To: <xzpsnlyuv1x.fsf@flood.ping.uio.no>
Message-ID: <Pine.BSF.4.31.0102011024300.4036-100000@digital.csudsu.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I see where you are coming from now.   On this system I attempted
to be more complete, basicly give it everything, and attempt to
depend on nothing outside the sandbox.   Tho ndc does not work
well in 9.1.0

On 1 Feb 2001, Dag-Erling Smorgrav wrote:

> Stefan Molnar <stefan@csudsu.com> writes:
> > Please explain.  I am running named with -t /var/named and I have to
> > create a /dev entries, all the libs needed by named, etc.
>
> There is no need for placing any device nodes in the sandbox.
>
> Libraries can be avoided by linking named-xfer (which is the only
> binary you need inside the sandbox) statically.
>
> You will need /var/run and /var/tmp to exist in the sandbox and be
> writeable for the bind user. You will also need a log socket in
> ${sandbox}/var/run; see the description of the -l option to syslogd in
> the syslogd(8) man page.
>
> You will probably want to symlink ${sandbox}/var/run/ndc to
> /var/run/ndc so ndc still works without the -c option. You may want to
> do the same thing with ${sandbox}/var/run/named.pid.
>
> Ideally, everything in the sandbox except /var/run, /var/tmp and the
> directory (or directories) in which you want bind to place slave zone
> files and db dumps should be read-only and/or owned by a different
> user.
>
> You need to be aware of how the 'ndc restart' command works, and
> possibly modify ndc to disable it, or write a wrapper for ndc, so that
> you never accidentally run named outside the sandbox.
>
> DES
> --
> Dag-Erling Smorgrav - des@ofug.org
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message