Date: Tue, 01 May 2001 23:41:52 -0700 (PDT) From: mikem <mike_makonnen@yahoo.com> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/27024: [PATCH] DNS section of handbook doesn't contain section on sandboxing named Message-ID: <200105020641.f426fqw62981@blackbox.pacbell.net>
next in thread | raw e-mail | index | archive | help
>Number: 27024 >Category: docs >Synopsis: [PATCH] DNS section of handbook doesn't contain section on sandboxing named >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue May 01 23:50:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: mikem >Release: FreeBSD 4.3-STABLE i386 >Organization: >Environment: System: FreeBSD blackbox.pacbell.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Apr 27 05:15:23 PDT 2001 root@blackbox.pacbell.net:/usr/obj/src/stable/src/sys/BLACKBOX i386 >Description: The DNS section of the handbook does not contain an explanation on how to run named in a sandbox. Actually, I don't think it's documented anywhere. >How-To-Repeat: goto http://www.freebsd.org/handbook/dns.html >Fix: I wrote down the things that would have helped me as I setup my nameserver in a sandbox and added them to my local copy of the docs. Here's the diffs. *** chapter.sgml.original Mon Apr 30 20:52:36 2001 --- chapter.sgml Tue May 1 23:27:46 2001 *************** *** 3318,3323 **** --- 3318,3395 ---- </para> </sect2> + <sect2 id="named-sandbox"> + <title>Running named in a Sandbox</title> + + <para>For added security you may want to run &man.named.8; in a sandox. This + will reduce the potential damage should it be compromised. If you + include a sandbox directory in its command line, named will &man.chroo t.8; + into that directory immediately upon finishing processing its + command line. It is also a good idea to have named run as a + non-priveledged user in the sandbox. The default FreeBSD install + contains a user bind with group bind. If we wanted the sandbox in + the <filename>/etc/namedb/sanbox</filename> directory the command line + for named would look like this:</para> + <screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t / etc/namedb/sandbox <path_to_named.conf> </userinput> + </screen> + + <para>The following steps should be taken in order to successfully + run named in a sandbox. Throughout the following discussion we will a ssume + the path to your sandbox is <filename>/etc/namedb/sandox</filename></p ara> + + <itemizedlist> + <listitem> + <para>Create the sandbox directory: <filename>/etc/namedb/sandbox</ filename></para> + </listitem> + <listitem> + <para>Create other necessary directories off of the the sandbox + directory: <filename>etc</filename> and <filename>var/run</filename >Release-Note: >Audit-Trail: >Unformatted: ></para> + </listitem> + <listitem> + <para>copy /etc/localtime to sandbox/etc</para> + </listitem> + <listitem> + <para>make bind:bind the owner of all files and directories in the + sandbox: + <screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/san dbox</userinput> </screen> + <screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</ userinput> </screen> + </para> + </listitem> + </itemizedlist> + + <para>There are some issues you need to be aware of when running + named in a sandbox.</para> + + <itemizedlist> + <listitem> + <para>Your &man.named.conf.5; file and all your zone files must be + in the sandbox</para> + </listitem> + <listitem> + <para><filename>sandbox/etc/localtime</filename> is needed in order to have + the correct time for your time zone in log messages</para> + </listitem> + <listitem> + <para> &man.named.8; will write its process id to a file in + <filename>sandbox/var/run</filename></para> + </listitem> + <listitem> + <para>The unix socket used for comunication by the &man.ndc.8; + utility will be created in <filename>sandbox/var/run</filename></par a> + </listitem> + <listitem> + <para>When using the ndc utility you need to specify the location of + the unix socket created in the sandbox, by &man.named.8;, by using th e -c switch: + <command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</comm and></para> + </listitem> + <listitem> + <para>If you enable logging to file, the log files must be + in the sandbox</para> + </listitem> + </itemizedlist> + + </sect2> + <sect2> <title>Further Reading</title> <para> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105020641.f426fqw62981>