From owner-freebsd-questions Mon Jan 6 23:13: 2 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD27837B401 for ; Mon, 6 Jan 2003 23:12:59 -0800 (PST) Received: from shockwave.systems.pipex.net (shockwave.systems.pipex.net [62.241.160.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF74B43EB2 for ; Mon, 6 Jan 2003 23:12:58 -0800 (PST) (envelope-from stacey@vickiandstacey.com) Received: from [192.168.1.8] (81-86-129-77.dsl.pipex.com [81.86.129.77]) by shockwave.systems.pipex.net (Postfix) with ESMTP id 2A12E160010D8; Tue, 7 Jan 2003 07:12:54 +0000 (GMT) Subject: Re: Running named in a sandbox...problems with /var/run/named.pid From: Stacey Roberts Reply-To: stacey@vickiandstacey.com To: "Jon W. Backstrom" Cc: questions@freebsd.org In-Reply-To: <200301070706.h0776jR13573@silicon.prairie.net> References: <200301070706.h0776jR13573@silicon.prairie.net> Content-Type: text/plain Organization: Message-Id: <1041923582.51041.177.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 07 Jan 2003 07:13:03 +0000 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, On Tue, 2003-01-07 at 07:06, Jon W. Backstrom wrote: > Dear FreeBSD Community, > > I am trying to run named (bind) in a sandbox using the default flags > found in the config files. I've got this in my /etc/rc.conf file: > > named_enable="YES" # Run named, the DNS server (or NO). > named_flags="-u bind -g bind" # Flags for named > > I also did a "chown -R bind:bind" to my secondaary DNS directory, so > all updates work with the new "bind" userID and group (53). > > [/etc/group] > bind:*:53: > You might want to check against the procedures laid out in the Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX) so as to ensure that you have indeed performed all of the required steps. In particular: Make a dev/null that named can see and write to Symlink /var/run/ndc to /etc/namedb/var/run/ndc Configure syslogd(8) to create an extra log socket that named can write to Arrange to have named start and chroot itself to the sandbox by adding corresponding lines to /etc/rc.conf Hope this helps. Regards, Stacey > The problem comes when I use "/usr/sbin/named.reload" ... I get an > error message that named can't write the /var/run/named.pid file. > > It seems unable to delete and rewrite "named.pid". I've tried > various group permissions for /var/run to allow the "bind" user > to create this file, but I can't seem to make this error go away. > > Is there an obvious trick to running named in a sandbox under the > FreeBSD 4.7 standard distro? > > Thank you! > > Jon Backstrom > jbackst@iowa.net > > > P.S. - In the /etc/defaults/rc.conf file, there is a comment that > it *may* be possible to run named in a sandbox...but the > docs in "man security" don't mention anyting about the > problems with /var/run/named.pid. > > # named. It may be possible to run named in a sandbox, man security for > # details. > # > named_enable="NO" # Run named, the DNS server (or NO). > named_program="/usr/sbin/named" # path to named, if you want a different one. > #named_flags="-u bind -g bind" # Flags for named > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message