From owner-freebsd-security  Fri Feb  2  2: 5:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bws3.zenon.net (bws3.zenon.net [195.2.69.69])
	by hub.freebsd.org (Postfix) with ESMTP id B36C537B4EC
	for <freebsd-security@FreeBSD.ORG>; Fri,  2 Feb 2001 02:05:02 -0800 (PST)
Received: by bws3.zenon.net id f12A3gE94920, (ron@localhost);
  (8.11.0/vak/1.9) Fri, 2 Feb 2001 13:03:42 +0300 (MSK)
Date: Fri, 2 Feb 2001 13:03:42 +0300
From: Roman Gnatenko <ron@zenon.net>
To: FengYue <fengyue@bluerose.windmoon.nu>
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	Rossen Raykov <rraykov@sageian.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Ronning named in chroot env
Message-ID: <20010202130342.C92089@zenon.net>
References: <xzpn1c6wcij.fsf@flood.ping.uio.no> <Pine.BSF.4.10.10102010921150.42187-100000@bluerose.windmoon.nu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.10.10102010921150.42187-100000@bluerose.windmoon.nu>; from fengyue@bluerose.windmoon.nu on Thu, Feb 01, 2001 at 09:26:06AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

On Thu, Feb 01, 2001 at 09:26:06AM -0800, FengYue wrote:
> 
> On 1 Feb 2001, Dag-Erling Smorgrav wrote:
> > Only if your named.conf has 'directory "/";' in the options section,
> > and you don't have any slave zones, and you're not interested in any
> > log messages your name server produces. Come to think of it, the fact
> > that named is now unable to log error messages is probably the reason
> > why you think it works just fine :)
> 
> Yes, it doesn't have any slave zones, but I do miss the logs.
> 
> I will use your patch then:)
> 
> BTW, you have a typo for the link:
> 
> http://people.freebsd.org/~des/software/>
> 
> there is an extra '>' after software/
> 
> Thanks...
> 
All the time configuration below work fine for me,
I'm run named with -t option:
options {
        directory "/";
        pid-file "/run/named.pid";
        named-xfer "/bin/named-xfer";
        listen-on {
                123.4.5.7;
                127.0.0.1;
        };
        transfer-source 123.4.5.7;
        query-source address 123.4.5.7 port 53;
        allow-transfer { my_acl; };
};
just compile named-xfer with -static and place to your /chroot/bin,
to see what your named doing insert section like this into your named.conf
logging {
	channel errchannel {
		file "log/errors";
		severity info;
		print-time yes;
		print-category yes;
		print-severity yes;
	};
	category default { errchannel; };
};

All files in /chroot must be root owned, except directory where
bind placed secondary zones.

> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Roman Gnatenko <ron@zenon.net>
Zenon N.S.P


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message