Date: Thu, 1 Feb 2001 10:56:11 -0500 From: "Rossen Raykov" <rraykov@sageian.com> To: <freebsd-security@freebsd.org> Subject: Ronning named in chroot env Message-ID: <03aa01c08c67$7f7c3320$4c00000a@sage>
next in thread | raw e-mail | index | archive | help
Hi, In case someone is interested in running named in chrooted environment on FreeBSD, below is my experience how this can be done. There are example settings for /etc/rc.conf allso. I provide this information with no warranty of any kind. Use it on yours one risk! First create the chroot directory where you will put named in. In the example settings I'll use /var/chroot/named Create the following directories in it: bin dev etc etc/namedb etc/namedb/* (depends on you named config) lib var var/run usr usr/sbin usr/libexec usr/lib tmp Copy the following files in it: bin/ldconfig (optional) etc/passwd etc/localtime etc/group etc/namedb/named.conf etc/namedb/cache etc/namedb/named.root etc/namedb/* (depends on you zones) var/run/named.pid (generated by named on startup so you do not need to copy it) usr/sbin/named usr/libexec/ld-elf.so.1 usr/libexec/named-xfer usr/lib/libc.so.4 usr/lib/libutil.so.3 links (depend on are you using the bind from the FreeBSD distribution or one from ports): etc/named.conf -> namedb/named.conf Create special file (mknod null c 2 2 root:wheel): dev/null Sockets (those will be created during runtime): dev/log var/run/ndc Settings in /etc/rc.conf # Start named in chroot environment named_enable="YES" named_program="chroot" named_flags="/var/chroot/named /usr/sbin/named -u bind -g bind" # Create loging soket for named in the sandbox syslogd_flags="-s -l /var/chroot/named/dev/log" Notes about etc/passwd in the chrooted environment: There is not a good reason this to be you real passwd file. Create something like: root:*:0:0:Charlie &:/root:/bin/csh bind:*:53:53:Bind Sandbox:/:/sbin/nologin keep the same UID fro bind like in the original passwd file. Use pwd_mkdb to create the shadow password file. Do not simply copy the original one! group file can be something like: wheel:*:0:root bind:*:53: Finally be careful with the rights in the newly created directory structure. For this one can look at the rights and the ownership of the original ones. To start named in the new environment - restart the box ;) or stop syslogd and start it with the options specified above. syslogd -s -l /var/chroot/named/dev/log Verify that syslog is working correctly (I have to restart it 2 times?!). start named: chroot /var/chroot/named /usr/sbin/named -u bind -g bind That's all! Rossen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03aa01c08c67$7f7c3320$4c00000a>