Hi, On Tue, 2003-01-07 at 07:06, Jon W. Backstrom wrote: > Dear FreeBSD Community, > > I am trying to run named (bind) in a sandbox using the default flags > found in the config files. I've got this in my /etc/rc.conf file: > > named_enable="YES" # Run named, the DNS server (or NO). > named_flags="-u bind -g bind" # Flags for named > > I also did a "chown -R bind:bind" to my secondaary DNS directory, so > all updates work with the new "bind" userID and group (53). > > [/etc/group] > bind:*:53: >
You might want to check against the procedures laid out in the Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX) so as to ensure that you have indeed performed all of the required steps. In particular: Make a dev/null that named can see and write to Symlink /var/run/ndc to /etc/namedb/var/run/ndc Configure syslogd(8) to create an extra log socket that named can write to Arrange to have named start and chroot itself to the sandbox by adding corresponding lines to /etc/rc.conf Hope this helps. Regards, Stacey > The problem comes when I use "/usr/sbin/named.reload" ... I get an > error message that named can't write the /var/run/named.pid file. > > It seems unable to delete and rewrite "named.pid". I've tried > various group permissions for /var/run to allow the "bind" user > to create this file, but I can't seem to make this error go away. > > Is there an obvious trick to running named in a sandbox under the > FreeBSD 4.7 standard distro? > > Thank you! > > Jon Backstrom > [EMAIL PROTECTED] > > > P.S. - In the /etc/defaults/rc.conf file, there is a comment that > it *may* be possible to run named in a sandbox...but the > docs in "man security" don't mention anyting about the > problems with /var/run/named.pid. > > # named. It may be possible to run named in a sandbox, man security for > # details. > # > named_enable="NO" # Run named, the DNS server (or NO). > named_program="/usr/sbin/named" # path to named, if you want a different one. > #named_flags="-u bind -g bind" # Flags for named > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
