From owner-freebsd-stable Sun Nov 3 22:43:24 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7342337B401 for ; Sun, 3 Nov 2002 22:43:21 -0800 (PST) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFA6543E42 for ; Sun, 3 Nov 2002 22:43:20 -0800 (PST) (envelope-from DougB@FreeBSD.org) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.6/8.12.6) with ESMTP id gA46hCmX037398; Sun, 3 Nov 2002 22:43:12 -0800 (PST) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.6/8.12.6/Submit) with ESMTP id gA46h5tf000866; Sun, 3 Nov 2002 22:43:06 -0800 (PST) Date: Sun, 3 Nov 2002 22:43:05 -0800 (PST) From: Doug Barton To: Joy Gila Cc: sthaug@nethelp.no, Subject: Re: bind 8.3.3/ FreeBSD 4.6 In-Reply-To: Message-ID: <20021103215600.G644-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 3 Nov 2002, Joy Gila wrote: > Doug Barton & Steinar Haug ---> Thanks for your > quick responses :o) Happy to help. > I am running bind in a chroot environment > and needed to set a few compile time flags > which is why I used this methodology. I set > LDFLAGS=-static DESTEXEC=mychroot DESTRUN=mychroot > in the src/port/freebsd/Makefile.set > are these variables I could have set from > within the BIND port? You could, but you don't have to. What I do for bind installs in a chroot is to use the port, and add: PORT_REPLACES_BASE_BIND8= yes in my /etc/make.conf. (You could also specify it on the command line.) The only thing I do differently is to add: CFLAGS+= -static to line 28 of the Makefile (right above the ".else" line in the PORT_REPLACES_BASE_BIND8 .ifdef). It's not totally necessary to compile everything static, the only thing that you need (or should have) in the chroot directory is the named-xfer binary. However having everything compiled statically makes it easier to install the same package onto different systems. Now, the secret to making the chroot stuff work the same way as the non-chroot is to create just enough of the system in the chroot tree to duplicate what named needs when running chroot'ed. This tree should look exactly like the tree in the system, which allows the binaries that live outside the chroot tree (specifically ndc) to see the same view regardless of how named is operating (chroot'ed or not). I use /var/named for the top of my chroot tree, but on my systems /var is its own file system. You could just as easily use /usr/local/named, just be sure that whatever you choose has enough space for all your files, both master and slave; and is on a seperate file system from anything you care about, like /. dev etc/namedb/master etc/namedb/slave usr/libexec var/dump var/log var/run Of the last 3, only var/run is really needed. I use var/dump as my dumpdb so that I don't have to make etc/namedb writable by user bind. etc/namedb/slave should be writable by user bind however, so that named can slave any zones it needs. You should copy the statically linked /usr/libexec/named-xfer into usr/libexec/ in the chroot tree. You should also use mknod to create dev/null in the chroot tree. If you want to use syslog, you should start it with '-l /var/named/var/run/log' so that there will be a socket in the chroot tree. Finally, I generally copy /etc/localtime into etc/ in the chroot so that the named syslog entries are in the same time zone as the base system. It's rather confusing if you don't do this. :) Now for the real magic. In the system /etc, either 'rm -r namedb', or mv it to another name. Then do 'ln -s /var/named/etc/namedb' in /etc, and then all of your binaries will behave the same regardless of whether you're running chroot'ed or not. Once this is all set up, you can start named with 'named -u bind -t/var/named' (or whatever you set up as your chroot directory). I realize that this is a rather complex thing to understand, however running something as vulnerable as named chroot'ed is the least you should be doing to make it as secure as possible. I'm working on updating the documentation on this, but it's dropped pretty low on my project list. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message