From owner-freebsd-doc Tue May 1 23:50: 9 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 076CE37B423 for ; Tue, 1 May 2001 23:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f426o0j84715; Tue, 1 May 2001 23:50:00 -0700 (PDT) (envelope-from gnats) Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 54C5037B422 for ; Tue, 1 May 2001 23:40:35 -0700 (PDT) (envelope-from mike_makonnen@yahoo.com) Received: from blackbox.pacbell.net ([64.166.85.138]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0GCP006G63V96B@mta5.snfc21.pbi.net> for FreeBSD-gnats-submit@freebsd.org; Tue, 1 May 2001 23:40:21 -0700 (PDT) Received: (from root@localhost) by blackbox.pacbell.net (8.11.3/8.11.3) id f426fqw62981; Tue, 01 May 2001 23:41:52 -0700 (PDT envelope-from mikem) Message-Id: <200105020641.f426fqw62981@blackbox.pacbell.net> Date: Tue, 01 May 2001 23:41:52 -0700 (PDT) From: mikem Reply-To: mike_makonnen@yahoo.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: docs/27024: [PATCH] DNS section of handbook doesn't contain section on sandboxing named Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 27024 >Category: docs >Synopsis: [PATCH] DNS section of handbook doesn't contain section on sandboxing named >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue May 01 23:50:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: mikem >Release: FreeBSD 4.3-STABLE i386 >Organization: >Environment: System: FreeBSD blackbox.pacbell.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Apr 27 05:15:23 PDT 2001 root@blackbox.pacbell.net:/usr/obj/src/stable/src/sys/BLACKBOX i386 >Description: The DNS section of the handbook does not contain an explanation on how to run named in a sandbox. Actually, I don't think it's documented anywhere. >How-To-Repeat: goto http://www.freebsd.org/handbook/dns.html >Fix: I wrote down the things that would have helped me as I setup my nameserver in a sandbox and added them to my local copy of the docs. Here's the diffs. *** chapter.sgml.original Mon Apr 30 20:52:36 2001 --- chapter.sgml Tue May 1 23:27:46 2001 *************** *** 3318,3323 **** --- 3318,3395 ---- + + Running named in a Sandbox + + For added security you may want to run &man.named.8; in a sandox. This + will reduce the potential damage should it be compromised. If you + include a sandbox directory in its command line, named will &man.chroo t.8; + into that directory immediately upon finishing processing its + command line. It is also a good idea to have named run as a + non-priveledged user in the sandbox. The default FreeBSD install + contains a user bind with group bind. If we wanted the sandbox in + the /etc/namedb/sanbox directory the command line + for named would look like this: + &prompt.root; /usr/sbin/named -u bind -g bind -t / etc/namedb/sandbox <path_to_named.conf> + + + The following steps should be taken in order to successfully + run named in a sandbox. Throughout the following discussion we will a ssume + the path to your sandbox is /etc/namedb/sandox

+ + + + Create the sandbox directory: /etc/namedb/sandbox + + + Create other necessary directories off of the the sandbox + directory: etc and var/runRelease-Note: >Audit-Trail: >Unformatted: > + + + copy /etc/localtime to sandbox/etc + + + make bind:bind the owner of all files and directories in the + sandbox: + &prompt.root; chown -R bind:bind /etc/namedb/san dbox + &prompt.root; chmod -R 750 /etc/namedb/sandbox + + + + + There are some issues you need to be aware of when running + named in a sandbox. + + + + Your &man.named.conf.5; file and all your zone files must be + in the sandbox + + + sandbox/etc/localtime is needed in order to have + the correct time for your time zone in log messages + + + &man.named.8; will write its process id to a file in + sandbox/var/run + + + The unix socket used for comunication by the &man.ndc.8; + utility will be created in sandbox/var/run + + + When using the ndc utility you need to specify the location of + the unix socket created in the sandbox, by &man.named.8;, by using th e -c switch: + &prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc + + + If you enable logging to file, the log files must be + in the sandbox + + + + + Further Reading To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message