From owner-freebsd-doc Tue May 1 23:50: 9 2001
Delivered-To: freebsd-doc@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP id 076CE37B423
for ; Tue, 1 May 2001 23:50:01 -0700 (PDT)
(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f426o0j84715;
Tue, 1 May 2001 23:50:00 -0700 (PDT)
(envelope-from gnats)
Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241])
by hub.freebsd.org (Postfix) with ESMTP id 54C5037B422
for ; Tue, 1 May 2001 23:40:35 -0700 (PDT)
(envelope-from mike_makonnen@yahoo.com)
Received: from blackbox.pacbell.net ([64.166.85.138])
by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9)
with ESMTP id <0GCP006G63V96B@mta5.snfc21.pbi.net> for
FreeBSD-gnats-submit@freebsd.org; Tue, 1 May 2001 23:40:21 -0700 (PDT)
Received: (from root@localhost) by blackbox.pacbell.net (8.11.3/8.11.3)
id f426fqw62981; Tue, 01 May 2001 23:41:52 -0700 (PDT envelope-from mikem)
Message-Id: <200105020641.f426fqw62981@blackbox.pacbell.net>
Date: Tue, 01 May 2001 23:41:52 -0700 (PDT)
From: mikem
Reply-To: mike_makonnen@yahoo.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: docs/27024: [PATCH] DNS section of handbook doesn't contain section on sandboxing
named
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>Number: 27024
>Category: docs
>Synopsis: [PATCH] DNS section of handbook doesn't contain section on sandboxing named
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 01 23:50:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: mikem
>Release: FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD blackbox.pacbell.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Apr 27 05:15:23 PDT 2001 root@blackbox.pacbell.net:/usr/obj/src/stable/src/sys/BLACKBOX i386
>Description:
The DNS section of the handbook does not contain an explanation on
how to run named in a sandbox. Actually, I don't think it's documented anywhere.
>How-To-Repeat:
goto http://www.freebsd.org/handbook/dns.html
>Fix:
I wrote down the things that would have helped me as I setup my nameserver
in a sandbox and added them to my local copy of the docs. Here's the diffs.
*** chapter.sgml.original Mon Apr 30 20:52:36 2001
--- chapter.sgml Tue May 1 23:27:46 2001
***************
*** 3318,3323 ****
--- 3318,3395 ----
+
+ Running named in a Sandbox
+
+ For added security you may want to run &man.named.8; in a sandox.
This
+ will reduce the potential damage should it be compromised. If you
+ include a sandbox directory in its command line, named will &man.chroo
t.8;
+ into that directory immediately upon finishing processing its
+ command line. It is also a good idea to have named run as a
+ non-priveledged user in the sandbox. The default FreeBSD install
+ contains a user bind with group bind. If we wanted the sandbox in
+ the /etc/namedb/sanbox directory the command line
+ for named would look like this:
+ &prompt.root; /usr/sbin/named -u bind -g bind -t /
etc/namedb/sandbox <path_to_named.conf>
+
+
+ The following steps should be taken in order to successfully
+ run named in a sandbox. Throughout the following discussion we will a
ssume
+ the path to your sandbox is /etc/namedb/sandox
+
+
+
+ Create the sandbox directory: /etc/namedb/sandbox
filename>
+
+
+ Create other necessary directories off of the the sandbox
+ directory: etc and var/runRelease-Note:
>Audit-Trail:
>Unformatted:
>
+
+
+ copy /etc/localtime to sandbox/etc
+
+
+ make bind:bind the owner of all files and directories in the
+ sandbox:
+ &prompt.root; chown -R bind:bind /etc/namedb/san
dbox
+ &prompt.root; chmod -R 750 /etc/namedb/sandbox
userinput>
+
+
+
+
+ There are some issues you need to be aware of when running
+ named in a sandbox.
+
+
+
+ Your &man.named.conf.5; file and all your zone files must be
+ in the sandbox
+
+
+ sandbox/etc/localtime is needed in order to
have
+ the correct time for your time zone in log messages
+
+
+ &man.named.8; will write its process id to a file in
+ sandbox/var/run
+
+
+ The unix socket used for comunication by the &man.ndc.8;
+ utility will be created in sandbox/var/run
+
+
+ When using the ndc utility you need to specify the location of
+ the unix socket created in the sandbox, by &man.named.8;, by using th
e -c switch:
+ &prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc
+
+
+ If you enable logging to file, the log files must be
+ in the sandbox
+
+
+
+
+
Further Reading
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message