From owner-freebsd-stable Fri Feb 2 0:27:40 2001 Delivered-To: freebsd-stable@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id 1EDB337B4EC for ; Fri, 2 Feb 2001 00:27:21 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id f128RIP07167 for ; Fri, 2 Feb 2001 10:27:18 +0200 (EET) Date: Fri, 2 Feb 2001 10:27:17 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: stable@freebsd.org Subject: our BIND jail implementation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I saw a lot of discussions about implementing secure (or just sandboxed) bind solution. We had an approach of building bind in such manner, that was most secure. Security breaches could happen both from administrative user acces, both from insecure software. Therefore, we've got a jail with two users - dnsadmin and bind. Both of them are in bind group (actually I was loughing out loud, when I saw uid and gid of bind user (53:53 - perfect! :) Therefore we built a chroot sandbox for jail with such tree: / - 750 root:bind run/ - bind:bind 750 pids, log sockets, temporary zone transfer files, etc slave/ - bind:bind 750 slave zone cache files data/ - dnsadmin:bind 750 master zone data admin/ - ~dnsadmin dnsadmin:bind 700 log/ - bind:bind 750 named.conf - dnsadmin:bind 640 named-xfer - root:bind 750 Of course, it's necessary to tweak pathnames.h, so dns would find exact locations. named-xfer was statically linked binary, which put temporary transfers in run/. ndc was tweaked to find control socket in $BINDROOT/run/ndc. Moreover, control socket was made to be bind:bind 660, so regular zone administrator could do simple zone reload. logs were configured to be put in logs/ with special size restrictions Ah, and the last thing I forgot to mention - it works! :) Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message