Date: Thu, 1 Feb 2001 10:26:44 -0800 (PST) From: Stefan Molnar <stefan@csudsu.com> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Gordon Tetlow <gordont@bluemtn.net>, Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG> Subject: Re: chrooting bind Message-ID: <Pine.BSF.4.31.0102011024300.4036-100000@digital.csudsu.com> In-Reply-To: <xzpsnlyuv1x.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I see where you are coming from now. On this system I attempted
to be more complete, basicly give it everything, and attempt to
depend on nothing outside the sandbox. Tho ndc does not work
well in 9.1.0
On 1 Feb 2001, Dag-Erling Smorgrav wrote:
> Stefan Molnar <stefan@csudsu.com> writes:
> > Please explain. I am running named with -t /var/named and I have to
> > create a /dev entries, all the libs needed by named, etc.
>
> There is no need for placing any device nodes in the sandbox.
>
> Libraries can be avoided by linking named-xfer (which is the only
> binary you need inside the sandbox) statically.
>
> You will need /var/run and /var/tmp to exist in the sandbox and be
> writeable for the bind user. You will also need a log socket in
> ${sandbox}/var/run; see the description of the -l option to syslogd in
> the syslogd(8) man page.
>
> You will probably want to symlink ${sandbox}/var/run/ndc to
> /var/run/ndc so ndc still works without the -c option. You may want to
> do the same thing with ${sandbox}/var/run/named.pid.
>
> Ideally, everything in the sandbox except /var/run, /var/tmp and the
> directory (or directories) in which you want bind to place slave zone
> files and db dumps should be read-only and/or owned by a different
> user.
>
> You need to be aware of how the 'ndc restart' command works, and
> possibly modify ndc to disable it, or write a wrapper for ndc, so that
> you never accidentally run named outside the sandbox.
>
> DES
> --
> Dag-Erling Smorgrav - des@ofug.org
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0102011024300.4036-100000>