From owner-freebsd-security Thu Feb 1 8: 5:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id ED3FF37B503 for ; Thu, 1 Feb 2001 08:05:13 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f11G5vd82414; Thu, 1 Feb 2001 11:05:57 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 1 Feb 2001 11:05:56 -0500 (EST) From: Rob Simmons To: Rossen Raykov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env In-Reply-To: <03aa01c08c67$7f7c3320$4c00000a@sage> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can keep the number of libs that you need to put in the chroot down by compiling bind statically. There is a website about this here: http://www.psionic.com/papers/dns/dns-openbsd/ If you are using the ports collection to build bind, just add the following line to the Makefile: CFLAGS= -static The site is primarily about OpenBSD, but things work (almost) the same in FreeBSD :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 1 Feb 2001, Rossen Raykov wrote: > Hi, > > In case someone is interested in running named in chrooted environment on > FreeBSD, below is my experience how this can be done. > There are example settings for /etc/rc.conf allso. > > I provide this information with no warranty of any kind. > Use it on yours one risk! > > First create the chroot directory where you will put named in. > In the example settings I'll use /var/chroot/named > > Create the following directories in it: > bin > dev > etc > etc/namedb > etc/namedb/* (depends on you named config) > lib > var > var/run > usr > usr/sbin > usr/libexec > usr/lib > tmp > > Copy the following files in it: > > bin/ldconfig (optional) > etc/passwd > etc/localtime > etc/group > etc/namedb/named.conf > etc/namedb/cache > etc/namedb/named.root > etc/namedb/* (depends on you zones) > var/run/named.pid (generated by named on startup so you do not need to copy > it) > usr/sbin/named > usr/libexec/ld-elf.so.1 > usr/libexec/named-xfer > usr/lib/libc.so.4 > usr/lib/libutil.so.3 > > links (depend on are you using the bind from the FreeBSD distribution or one > from ports): > etc/named.conf -> namedb/named.conf > > Create special file (mknod null c 2 2 root:wheel): > dev/null > > Sockets (those will be created during runtime): > dev/log > var/run/ndc > > Settings in /etc/rc.conf > # Start named in chroot environment > named_enable="YES" > named_program="chroot" > named_flags="/var/chroot/named /usr/sbin/named -u bind -g bind" > # Create loging soket for named in the sandbox > syslogd_flags="-s -l /var/chroot/named/dev/log" > > Notes about etc/passwd in the chrooted environment: > There is not a good reason this to be you real passwd file. > Create something like: > > root:*:0:0:Charlie &:/root:/bin/csh > bind:*:53:53:Bind Sandbox:/:/sbin/nologin > > keep the same UID fro bind like in the original passwd file. > Use pwd_mkdb to create the shadow password file. > Do not simply copy the original one! > > group file can be something like: > > wheel:*:0:root > bind:*:53: > > Finally be careful with the rights in the newly created directory structure. > For this one can look at the rights and the ownership of the original ones. > > To start named in the new environment - restart the box ;) > or stop syslogd and start it with the options specified above. > > syslogd -s -l /var/chroot/named/dev/log > > Verify that syslog is working correctly (I have to restart it 2 times?!). > > start named: > chroot /var/chroot/named /usr/sbin/named -u bind -g bind > > That's all! > > Rossen > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message