Date: 14 Jul 2002 13:16:10 +0100 From: Stacey Roberts <sroberts@dsl.pipex.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: Re: [Fwd: RE: Cannot start bind in sandbox?] Message-ID: <1026648971.97896.39.camel@Demon.vickiandstacey.com> In-Reply-To: <20020714112233.GC25158@happy-idiot-talk.infracaninophi> References: <1026642642.97896.16.camel@Demon.vickiandstacey.com> <20020714112233.GC25158@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-RW6jjN0OwqfVbTgfY0us Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Not to appear to be targeting you, but can you tell me if the procedure in either of the books., (note that FBSD Unleashed does *not* mention moving anything to the sandbox dir) is indeed *supposed* to work? I am hoping to implement as standardized a set-up as possible - for future replication across other machines, so I really would like to get someone's position on this before proceeding with customised configurations / settings.=20 Strange this, running bind without (my attempted) sandbox configs work fine., it is when I try to secure bind (again, as per the available docs / books) that errors occur, so this is what I need to get to the bottom of., Failing this, we're looking at keeping DNS services on the Windows boxes - which is the point of looking to a FreeBSD solution. Thanks again., shame no-one else is responding to this. I would have thought that many others would be interested in the validity of whta is written and advertised (in some cases) as required reqding. Regards, Stacey On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: >=20 > > (sigh!) There's no mention of moving "the named binary" into the sandbo= x > > dir in *any* of the books I've got in front of me. >=20 > You don't *have* to do that, although it will do no harm. I tell you > this from very recent experience, as I saw your post and thought "why > aren't I running with my named chrooted?" The instructions I gave > earlier worked for me, with the addendum that you should also do: >=20 > mkdir -p /var/named/var/run >=20 > and then kill and restart named. That lets you use ndc(8) to control > named(8), but you have to use the `-c' flag to ndc to tell it where to > find the command channel: >=20 > ndc -c /var/named/var/run/ndc status >=20 > To enable the chroot'ed named to log stuff via syslog, you need to > tell syslogd(8) to listen on an additional logging socket within the > chrooted filespace: >=20 > syslogd -l /var/named/var/run/log >=20 > Cheers, >=20 > Matthew >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer --=-RW6jjN0OwqfVbTgfY0us Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Not to appear to be targeting you, but can you tell me if the procedure in either of the books., (note that FBSD Unleashed does *not* mention moving anything to the sandbox dir) is indeed *supposed* to work? I am hoping to implement as standardized a set-up as possible - for future replication across other machines, so I really would like to get someone's position on this before proceeding with customised configurations / settings.=20 Strange this, running bind without (my attempted) sandbox configs work fine., it is when I try to secure bind (again, as per the available docs / books) that errors occur, so this is what I need to get to the bottom of., Failing this, we're looking at keeping DNS services on the Windows boxes - which is the point of looking to a FreeBSD solution. Thanks again., shame no-one else is responding to this. I would have thought that many others would be interested in the validity of whta is written and advertised (in some cases) as required reqding. Regards, Stacey On Sun, 2002-07-14 at 12:22, Matthew Seaman wrote: > On Sun, Jul 14, 2002 at 11:30:42AM +0100, Stacey Roberts wrote: >=20 > > (sigh!) There's no mention of moving "the named binary" into the sandbo= x > > dir in *any* of the books I've got in front of me. >=20 > You don't *have* to do that, although it will do no harm. I tell you > this from very recent experience, as I saw your post and thought "why > aren't I running with my named chrooted?" The instructions I gave > earlier worked for me, with the addendum that you should also do: >=20 > mkdir -p /var/named/var/run >=20 > and then kill and restart named. That lets you use ndc(8) to control > named(8), but you have to use the `-c' flag to ndc to tell it where to > find the command channel: >=20 > ndc -c /var/named/var/run/ndc status >=20 > To enable the chroot'ed named to log stuff via syslog, you need to > tell syslogd(8) to listen on an additional logging socket within the > chrooted filespace: >=20 > syslogd -l /var/named/var/run/log >=20 > Cheers, >=20 > Matthew >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK - --=20 Stacey Roberts B.Sc. (HONS) Computer Science Network Systems Engineer -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPTFrhvdn4A8qiCO5EQKACQCgygYuj6H+46RD5hepPgnDg5kRRHkAnRkF fC4t9SbSvKUtJYx6SCc16I8X =dbTu -----END PGP SIGNATURE----- --=-RW6jjN0OwqfVbTgfY0us-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1026648971.97896.39.camel>