Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 May 2001 23:41:52 -0700 (PDT)
From:      mikem <mike_makonnen@yahoo.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   docs/27024: [PATCH] DNS section of handbook doesn't contain section on sandboxing named
Message-ID:  <200105020641.f426fqw62981@blackbox.pacbell.net>
next in thread | raw e-mail | index | archive | help 

>Number:         27024
>Category:       docs
>Synopsis:       [PATCH] DNS section of handbook doesn't contain section on sandboxing named
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 01 23:50:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     mikem
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD blackbox.pacbell.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Apr 27 05:15:23 PDT 2001 root@blackbox.pacbell.net:/usr/obj/src/stable/src/sys/BLACKBOX i386


	
>Description:
	The DNS section of the handbook does not contain an explanation on
	how to run named in a sandbox. Actually, I don't think it's documented anywhere.
	
>How-To-Repeat:
	goto http://www.freebsd.org/handbook/dns.html
	
>Fix:
	I wrote down the things that would have helped me as I setup my nameserver
	in a sandbox and added them to my local copy of the docs. Here's the diffs.

*** chapter.sgml.original       Mon Apr 30 20:52:36 2001
--- chapter.sgml        Tue May  1 23:27:46 2001
***************
*** 3318,3323 ****
--- 3318,3395 ----
    </para>
  </sect2>

+ <sect2 id="named-sandbox">
+    <title>Running named in a Sandbox</title>
+
+       <para>For added security you may want to run &man.named.8; in a sandox.
This
+         will reduce the potential damage should it be compromised. If you
+         include a sandbox directory in its command line, named will &man.chroo
t.8;
+         into that directory immediately upon finishing processing its
+         command line. It is also a good idea to have named run as a
+         non-priveledged user in the sandbox. The default FreeBSD install
+         contains a user bind with group bind. If we wanted the sandbox in
+         the <filename>/etc/namedb/sanbox</filename> directory the command line

+         for named would look like this:</para>
+         <screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t /
etc/namedb/sandbox &lt;path_to_named.conf> </userinput>
+         </screen>
+
+       <para>The following steps should be taken in order to successfully
+         run named in a sandbox. Throughout  the following discussion we will a
ssume
+         the path to your sandbox is <filename>/etc/namedb/sandox</filename></p
ara>
+
+       <itemizedlist>
+         <listitem>
+            <para>Create the sandbox directory: <filename>/etc/namedb/sandbox</
filename></para>
+         </listitem>
+         <listitem>
+         <para>Create other necessary directories off of the the sandbox
+            directory: <filename>etc</filename> and <filename>var/run</filename
>Release-Note:
>Audit-Trail:
>Unformatted:
 ></para>
 +       </listitem>
 +         <listitem>
 +         <para>copy /etc/localtime to sandbox/etc</para>
 +       </listitem>
 +         <listitem>
 +         <para>make bind:bind the owner of all files and directories in the
 +             sandbox:
 +            <screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/san
 dbox</userinput> </screen>
 +            <screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</
 userinput> </screen>
 +         </para>
 +       </listitem>
 +       </itemizedlist>
 +
 +       <para>There are some issues you need to be aware of when running
 +         named in a sandbox.</para>
 +
 +       <itemizedlist>
 +         <listitem>
 +         <para>Your &man.named.conf.5; file and all your zone files must be
 +           in the sandbox</para>
 +       </listitem>
 +         <listitem>
 +         <para><filename>sandbox/etc/localtime</filename> is needed in order to
  have
 +           the correct time for your time zone in log messages</para>
 +       </listitem>
 +         <listitem>
 +         <para> &man.named.8; will write its process id to a file in
 +           <filename>sandbox/var/run</filename></para>
 +       </listitem>
 +       <listitem>
 +         <para>The unix socket used for comunication by the &man.ndc.8;
 +           utility will be created in <filename>sandbox/var/run</filename></par
 a>
 +       </listitem>
 +         <listitem>
 +         <para>When using the ndc utility you need to specify the location of
 +          the unix socket created in the sandbox, by &man.named.8;, by using th
 e -c switch:
 +            <command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</comm
 and></para>
 +       </listitem>
 +         <listitem>
 +         <para>If you enable logging to file, the log files must be
 +            in the sandbox</para>
 +       </listitem>
 +       </itemizedlist>
 +
 + </sect2>
 +
   <sect2>
     <title>Further Reading</title>
     <para>
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105020641.f426fqw62981>