From mike_makonnen@yahoo.com Tue May 1 23:40:35 2001 Return-Path: Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 54C5037B422 for ; Tue, 1 May 2001 23:40:35 -0700 (PDT) (envelope-from mike_makonnen@yahoo.com) Received: from blackbox.pacbell.net ([64.166.85.138]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0GCP006G63V96B@mta5.snfc21.pbi.net> for FreeBSD-gnats-submit@freebsd.org; Tue, 1 May 2001 23:40:21 -0700 (PDT) Received: (from root@localhost) by blackbox.pacbell.net (8.11.3/8.11.3) id f426fqw62981; Tue, 01 May 2001 23:41:52 -0700 (PDT envelope-from mikem) Message-Id: <200105020641.f426fqw62981@blackbox.pacbell.net> Date: Tue, 01 May 2001 23:41:52 -0700 (PDT) From: mikem Reply-To: mike_makonnen@yahoo.com To: FreeBSD-gnats-submit@freebsd.org Subject: [PATCH] DNS section of handbook doesn't contain section on sandboxing named X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 27024 >Category: docs >Synopsis: [PATCH] DNS section of handbook doesn't contain section on sandboxing named >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: closed >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue May 01 23:50:00 PDT 2001 >Closed-Date: Tue May 8 18:19:29 PDT 2001 >Last-Modified: Tue May 08 18:19:47 PDT 2001 >Originator: mikem >Release: FreeBSD 4.3-STABLE i386 >Organization: >Environment: System: FreeBSD blackbox.pacbell.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Apr 27 05:15:23 PDT 2001 root@blackbox.pacbell.net:/usr/obj/src/stable/src/sys/BLACKBOX i386 >Description: The DNS section of the handbook does not contain an explanation on how to run named in a sandbox. Actually, I don't think it's documented anywhere. >How-To-Repeat: goto http://www.freebsd.org/handbook/dns.html >Fix: I wrote down the things that would have helped me as I setup my nameserver in a sandbox and added them to my local copy of the docs. Here's the diffs. *** chapter.sgml.original Mon Apr 30 20:52:36 2001 --- chapter.sgml Tue May 1 23:27:46 2001 *************** *** 3318,3323 **** --- 3318,3395 ---- + + Running named in a Sandbox + + For added security you may want to run &man.named.8; in a sandox. This + will reduce the potential damage should it be compromised. If you + include a sandbox directory in its command line, named will &man.chroo t.8; + into that directory immediately upon finishing processing its + command line. It is also a good idea to have named run as a + non-priveledged user in the sandbox. The default FreeBSD install + contains a user bind with group bind. If we wanted the sandbox in + the /etc/namedb/sanbox directory the command line + for named would look like this: + &prompt.root; /usr/sbin/named -u bind -g bind -t / etc/namedb/sandbox <path_to_named.conf> + + + The following steps should be taken in order to successfully + run named in a sandbox. Throughout the following discussion we will a ssume + the path to your sandbox is /etc/namedb/sandox

+ + + + Create the sandbox directory: /etc/namedb/sandbox + + + Create other necessary directories off of the the sandbox + directory: etc and var/runRelease-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: murray State-Changed-When: Tue May 8 18:19:29 PDT 2001 State-Changed-Why: Committed, thanks! http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27024 >Unformatted: > + + + copy /etc/localtime to sandbox/etc + + + make bind:bind the owner of all files and directories in the + sandbox: + &prompt.root; chown -R bind:bind /etc/namedb/san dbox + &prompt.root; chmod -R 750 /etc/namedb/sandbox + + + + + There are some issues you need to be aware of when running + named in a sandbox. + + + + Your &man.named.conf.5; file and all your zone files must be + in the sandbox + + + sandbox/etc/localtime is needed in order to have + the correct time for your time zone in log messages + + + &man.named.8; will write its process id to a file in + sandbox/var/run + + + The unix socket used for comunication by the &man.ndc.8; + utility will be created in sandbox/var/run + + + When using the ndc utility you need to specify the location of + the unix socket created in the sandbox, by &man.named.8;, by using th e -c switch: + &prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc + + + If you enable logging to file, the log files must be + in the sandbox + + + + + Further Reading