Date: 07 Jan 2003 07:13:03 +0000 From: Stacey Roberts <stacey@vickiandstacey.com> To: "Jon W. Backstrom" <jbackst@iowa.net> Cc: questions@freebsd.org Subject: Re: Running named in a sandbox...problems with /var/run/named.pid Message-ID: <1041923582.51041.177.camel@localhost> In-Reply-To: <200301070706.h0776jR13573@silicon.prairie.net> References: <200301070706.h0776jR13573@silicon.prairie.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Tue, 2003-01-07 at 07:06, Jon W. Backstrom wrote: > Dear FreeBSD Community, > > I am trying to run named (bind) in a sandbox using the default flags > found in the config files. I've got this in my /etc/rc.conf file: > > named_enable="YES" # Run named, the DNS server (or NO). > named_flags="-u bind -g bind" # Flags for named > > I also did a "chown -R bind:bind" to my secondaary DNS directory, so > all updates work with the new "bind" userID and group (53). > > [/etc/group] > bind:*:53: > You might want to check against the procedures laid out in the Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX) so as to ensure that you have indeed performed all of the required steps. In particular: Make a dev/null that named can see and write to Symlink /var/run/ndc to /etc/namedb/var/run/ndc Configure syslogd(8) to create an extra log socket that named can write to Arrange to have named start and chroot itself to the sandbox by adding corresponding lines to /etc/rc.conf Hope this helps. Regards, Stacey > The problem comes when I use "/usr/sbin/named.reload" ... I get an > error message that named can't write the /var/run/named.pid file. > > It seems unable to delete and rewrite "named.pid". I've tried > various group permissions for /var/run to allow the "bind" user > to create this file, but I can't seem to make this error go away. > > Is there an obvious trick to running named in a sandbox under the > FreeBSD 4.7 standard distro? > > Thank you! > > Jon Backstrom > jbackst@iowa.net > > > P.S. - In the /etc/defaults/rc.conf file, there is a comment that > it *may* be possible to run named in a sandbox...but the > docs in "man security" don't mention anyting about the > problems with /var/run/named.pid. > > # named. It may be possible to run named in a sandbox, man security for > # details. > # > named_enable="NO" # Run named, the DNS server (or NO). > named_program="/usr/sbin/named" # path to named, if you want a different one. > #named_flags="-u bind -g bind" # Flags for named > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1041923582.51041.177.camel>