Date: Sun, 14 Jul 2002 21:19:41 +0200 From: "Patrick O'Reilly" <bsd@perimeter.co.za> To: Steve Wingate <steve@velosystems.net>, sroberts@dsl.pipex.com Cc: Ruben de Groot <fbsd-q@bzerk.org>, FreeBSD-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] Message-ID: <200207142119.41417.bsd@perimeter.co.za> In-Reply-To: <1026666796.77988.11.camel@daemon.velosystems.net> References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <1026654446.97896.72.camel@Demon.vickiandstacey.com> <1026666796.77988.11.camel@daemon.velosystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 14 July 2002 19:13, Steve Wingate wrote: > If you're reading this link for sandboxing BIND this is as standard > as it gets. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html > > > From what I've read from you it appears you haven't done everything > these steps tell you to do. > I must concur with Steve. Just yesterday I set up bind in it's own little sandbox. I did it by=20 following the instructions in the link Steve quoted above. It works=20 just fine! OK - I stumbled over one tiny problem. when building the statically=20 linked 'named-xfer', the Handbook concludes with : =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D But the newly built 'named-xfer' is not in the current directory. A=20 tiny bit of lateral thinking prompted me to look in /usr/obj`pwd` - and=20 there it was - nice and fresh! I actually built myself a script as I went along, because I intend doing=20 this again in future without always reading the manual. It's brand=20 new, so please forgive the rough edges. And I have changed a couple of=20 things to suit my personal taste and setup. Here's my script: (Beware line wrap in the mailer) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D #!/usr/local/bin/bash cd /etc/namedb mkdir -p usr/libexec dev etc var/tmp var/run master slave chown bind:bind slave var/* cp /etc/localtime etc [ -L named.conf ] || mv named.conf etc && ln -sf etc/named.conf [ -f named.root ] && mv named.root master/FWD_root # I'm not interested in ipv6, so I dump it sh make-localhost && mv localhost.rev master/REV_localhost && rm=20 localhost-v6.rev echo " $ORIGIN localhost. $TTL 6h @ IN SOA localhost. postmaster.localhost. ( 1 ; serial 3600 ; refresh 1800 ; retry 604800 ; expiration 3600 ) ; minimum IN NS localhost. IN A 127.0.0.1 " > master/FWD_localhost cd /usr/src/lib/libisc && make clean all cd /usr/src/lib/libbinf && make clean all cd /usr/src/libexec/named-xfer && make NOSHARED=3Dyes clean all cp /usr/obj/usr/src/libexec/named-xfer/named-xfer=20 /etc/namedb/usr/libexec && chmod 555 /etc/namedb/usr/libexec/named-xfer cd /etc/namedb if [ ! -c dev/null ] then cd /etc/namedb/dev mknod null c 2 2 chmod 666 null cd /etc/namedb fi [ -L /var/run/ndc ] || ln -sf /etc/namedb/var/run/ndc /var/run/ndc echo " # These three lines added by ${0} # named_enable=3D\"YES\" # named_flags=3D\"-u bind -g bind -t /etc/namedb /etc/named.conf\" # syslogd_flags=3D\"-ss -l /etc/namedb/dev/log\" " >> /etc/rc.conf echo " *** Remember edit /etc/rc.conf and sort out the three lines I\'ve added! *** =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D HTH :) --=20 Regards, Patrick O'Reilly. Perimeter Networks CC. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207142119.41417.bsd>