Date: Thu, 23 Aug 2001 13:07:38 -0400 From: "Brian F. Feldman" <green@FreeBSD.ORG> To: Matt Dillon <dillon@earth.backplane.com> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, Brian Somers <brian@Awfulhak.org>, Jun Kuriyama <kuriyama@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf Message-ID: <200108231707.f7NH7dG14247@green.bikeshed.org> In-Reply-To: Your message of "Thu, 23 Aug 2001 09:45:34 PDT." <200108231645.f7NGjYe86993@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Dillon <dillon@earth.backplane.com> wrote:
>
> I like the idea of, finally, invoking named in a sandbox. I don't
> understand why the pidfile location has to change, though. named
> creates its pidfile as root before it setuid's itself.
>
> While it is true that named cannot rescan interfaces when operating
> in this mode, this restriction has never been an impediment to anything
> I've ever done with it. Most dialup users don't run named, they simply
> allow ppp to setup /etc/resolv.conf for them. Those who do will be savvy
> enough to add the appropriate override to /etc/rc.conf (or won't have to
> if they don't bother to mergemaster the new default rc files).
>
> I know it isn't a perfect solution, but we *REALLY* need to secure
> named this time around. It is years past the time we should have done
> it.
For what it's worth, here's how I configure named on the computers I run.
Not that it's the best way, but it's definitely very reasonable for a
default if nothing else.
In rc.conf I use:
syslogd_flags="-s -l /etc/namedb/var/run/log" # Flags to syslogd (if enabled).
named_flags="-u daemon -g daemon -t /etc/namedb -c named.conf"
named.conf:
logging {
channel to_syslog {
syslog daemon;
};
category default {
to_syslog;
};
category panic {
to_syslog;
};
};
options {
directory "/"; // chrooted into /etc/namedb
};
/etc/namedb:
-rw-r--r-- 1 root wheel 423 Feb 26 2000 PROTO.localhost.rev
-rw-r--r-- 1 root wheel 457 Oct 13 2000 localhost.rev
-rw-r--r-- 1 root wheel 843 Dec 10 2000 make-localhost
-rw-r--r-- 1 root wheel 2647 Oct 21 1997 named.boot
-rw-r--r-- 1 root wheel 3592 Mar 29 10:17 named.conf
-rw-r--r-- 1 root wheel 2843 Feb 26 2000 named.root
drwxr-xr-x 4 root wheel 512 Nov 12 2000 var
/etc/namedb/var:
total 2
drwxr-xr-x 2 root wheel 512 Nov 12 2000 log
drwxr-xr-x 2 root wheel 512 Aug 22 23:06 run
/etc/namedb/var/log:
/etc/namedb/var/run:
total 1
srw-rw-rw- 1 root wheel 0 Aug 22 23:06 log
-rw-r--r-- 1 daemon daemon 4 Aug 22 23:06 named.pid
srw------- 1 root wheel 0 Aug 22 23:06 ndc
--
Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
green@FreeBSD.org `------------------------------'
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108231707.f7NH7dG14247>