From owner-freebsd-questions Sun Jul 14 5:16:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6178F37B400 for ; Sun, 14 Jul 2002 05:16:07 -0700 (PDT) Received: from nemesis.systems.pipex.net (nemesis.systems.pipex.net [62.190.223.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E98A43E4A for ; Sun, 14 Jul 2002 05:16:06 -0700 (PDT) (envelope-from sroberts@dsl.pipex.com) Received: from Demon.vickiandstacey.com (81-86-129-77.dsl.pipex.com [81.86.129.77]) by nemesis.systems.pipex.net (Postfix) with ESMTP id 62C731600036A; Sun, 14 Jul 2002 13:15:58 +0100 (BST) Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: Matthew Seaman Cc: FreeBSD-Questions In-Reply-To: <20020714112233.GC25158@happy-idiot-talk.infracaninophi> References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <20020714112233.GC25158@happy-idiot-talk.infracaninophi> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-RW6jjN0OwqfVbTgfY0us" X-Mailer: Ximian Evolution 1.0.8 Date: 14 Jul 2002 13:16:10 +0100 Message-Id: <1026648971.97896.39.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-RW6jjN0OwqfVbTgfY0us Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Not to appear to be targeting you, but can you tell me if the procedure in either of the books., (note that FBSD Unleashed does *not* mention moving anything to the sandbox dir) is indeed *supposed* to work? I am hoping to implement as standardized a set-up as possible - for future replication across other machines, so I really would like to get someone's position on this before proceeding with customised configurations / settings.=20 Strange this, running bind without (my attempted) sandbox configs work fine., it is when I try to secure bind (again, as per the available docs / books) that errors occur, so this is what I need to get to the bottom of., Failing this, we're looking at keeping DNS services on the Windows boxes - which is the point of looking to a FreeBSD solution. Thanks again., shame no-one else is responding to this. I would have thought that many others would be interested in the validity of whta is written and advertised (in some cases) as required reqding. Regards, Stacey On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: >=20 > > (sigh!) There's no mention of moving "the named binary" into the sandbo= x > > dir in *any* of the books I've got in front of me. >=20 > You don't *have* to do that, although it will do no harm. I tell you > this from very recent experience, as I saw your post and thought "why > aren't I running with my named chrooted?" The instructions I gave > earlier worked for me, with the addendum that you should also do: >=20 > mkdir -p /var/named/var/run >=20 > and then kill and restart named. That lets you use ndc(8) to control > named(8), but you have to use the `-c' flag to ndc to tell it where to > find the command channel: >=20 > ndc -c /var/named/var/run/ndc status >=20 > To enable the chroot'ed named to log stuff via syslog, you need to > tell syslogd(8) to listen on an additional logging socket within the > chrooted filespace: >=20 > syslogd -l /var/named/var/run/log >=20 > Cheers, >=20 > Matthew >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-RW6jjN0OwqfVbTgfY0us Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Not to appear to be targeting you, but can you tell me if the procedure in either of the books., (note that FBSD Unleashed does *not* mention moving anything to the sandbox dir) is indeed *supposed* to work? I am hoping to implement as standardized a set-up as possible - for future replication across other machines, so I really would like to get someone's position on this before proceeding with customised configurations / settings.=20 Strange this, running bind without (my attempted) sandbox configs work fine., it is when I try to secure bind (again, as per the available docs / books) that errors occur, so this is what I need to get to the bottom of., Failing this, we're looking at keeping DNS services on the Windows boxes - which is the point of looking to a FreeBSD solution. Thanks again., shame no-one else is responding to this. I would have thought that many others would be interested in the validity of whta is written and advertised (in some cases) as required reqding. Regards, Stacey On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: >=20 > > (sigh!) There's no mention of moving "the named binary" into the sandbo= x > > dir in *any* of the books I've got in front of me. >=20 > You don't *have* to do that, although it will do no harm. I tell you > this from very recent experience, as I saw your post and thought "why > aren't I running with my named chrooted?" The instructions I gave > earlier worked for me, with the addendum that you should also do: >=20 > mkdir -p /var/named/var/run >=20 > and then kill and restart named. That lets you use ndc(8) to control > named(8), but you have to use the `-c' flag to ndc to tell it where to > find the command channel: >=20 > ndc -c /var/named/var/run/ndc status >=20 > To enable the chroot'ed named to log stuff via syslog, you need to > tell syslogd(8) to listen on an additional logging socket within the > chrooted filespace: >=20 > syslogd -l /var/named/var/run/log >=20 > Cheers, >=20 > Matthew >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK - --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPTFrhvdn4A8qiCO5EQKACQCgygYuj6H+46RD5hepPgnDg5kRRHkAnRkF fC4t9SbSvKUtJYx6SCc16I8X =dbTu -----END PGP SIGNATURE----- --=-RW6jjN0OwqfVbTgfY0us-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message