Date: Thu, 1 Feb 2001 11:05:56 -0500 (EST) From: Rob Simmons <rsimmons@wlcg.com> To: Rossen Raykov <rraykov@sageian.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env Message-ID: <Pine.BSF.4.21.0102011102141.75029-100000@mail.wlcg.com> In-Reply-To: <03aa01c08c67$7f7c3320$4c00000a@sage>
next in thread | previous in thread | raw e-mail | index | archive | help
You can keep the number of libs that you need to put in the chroot down by compiling bind statically. There is a website about this here: http://www.psionic.com/papers/dns/dns-openbsd/ If you are using the ports collection to build bind, just add the following line to the Makefile: CFLAGS= -static The site is primarily about OpenBSD, but things work (almost) the same in FreeBSD :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 1 Feb 2001, Rossen Raykov wrote: > Hi, > > In case someone is interested in running named in chrooted environment on > FreeBSD, below is my experience how this can be done. > There are example settings for /etc/rc.conf allso. > > I provide this information with no warranty of any kind. > Use it on yours one risk! > > First create the chroot directory where you will put named in. > In the example settings I'll use /var/chroot/named > > Create the following directories in it: > bin > dev > etc > etc/namedb > etc/namedb/* (depends on you named config) > lib > var > var/run > usr > usr/sbin > usr/libexec > usr/lib > tmp > > Copy the following files in it: > > bin/ldconfig (optional) > etc/passwd > etc/localtime > etc/group > etc/namedb/named.conf > etc/namedb/cache > etc/namedb/named.root > etc/namedb/* (depends on you zones) > var/run/named.pid (generated by named on startup so you do not need to copy > it) > usr/sbin/named > usr/libexec/ld-elf.so.1 > usr/libexec/named-xfer > usr/lib/libc.so.4 > usr/lib/libutil.so.3 > > links (depend on are you using the bind from the FreeBSD distribution or one > from ports): > etc/named.conf -> namedb/named.conf > > Create special file (mknod null c 2 2 root:wheel): > dev/null > > Sockets (those will be created during runtime): > dev/log > var/run/ndc > > Settings in /etc/rc.conf > # Start named in chroot environment > named_enable="YES" > named_program="chroot" > named_flags="/var/chroot/named /usr/sbin/named -u bind -g bind" > # Create loging soket for named in the sandbox > syslogd_flags="-s -l /var/chroot/named/dev/log" > > Notes about etc/passwd in the chrooted environment: > There is not a good reason this to be you real passwd file. > Create something like: > > root:*:0:0:Charlie &:/root:/bin/csh > bind:*:53:53:Bind Sandbox:/:/sbin/nologin > > keep the same UID fro bind like in the original passwd file. > Use pwd_mkdb to create the shadow password file. > Do not simply copy the original one! > > group file can be something like: > > wheel:*:0:root > bind:*:53: > > Finally be careful with the rights in the newly created directory structure. > For this one can look at the rights and the ownership of the original ones. > > To start named in the new environment - restart the box ;) > or stop syslogd and start it with the options specified above. > > syslogd -s -l /var/chroot/named/dev/log > > Verify that syslog is working correctly (I have to restart it 2 times?!). > > start named: > chroot /var/chroot/named /usr/sbin/named -u bind -g bind > > That's all! > > Rossen > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102011102141.75029-100000>