On Tue, Jan 20, 2004 at 05:04:16PM -0500, Robert Fitzpatrick wrote:
> I see the bind user is defined as BIND Sandbox, does this mean the
> default port install of bind9 sets bind up in a chroot jail?
No -- all that means is that named(8) runs as a non-privileged user by
default.
However, running Bind9 in a chroot jail is really quite easy. First
of all, with Bind9, there's no need to install the software under the
chroot path. Just install the Bind9 port as normal.
Add the following (mutatis mutandem) to your /etc/rc.conf to make
named(8) from Bind9 start up and chroot itself:
named_enable="YES"
named_flags="-c /etc/namedb/named.conf -u bind -t /var/named"
named_program="/usr/local/sbin/named"
That chroots named(8) under /var/named -- so the named.conf file
referred to is actually /var/named/etc/named/named.conf -- you'll also
want a named.root file in /var/named/etc/namedb which you can copy
from /etc/namedb.
Now set up the chroot area. You need to create directories:
drwxr-xr-xroot wheel /var/named
drwxr-xr-xroot wheel /var/named/var
drwxr-xr-xbind bind/var/named/var/run
drwxr-xr-xroot wheel /var/named/etc
drwxr-xr-xroot wheel /var/named/etc/namedb
drwxr-xr-xroot wheel /var/named/etc/namedb/p [Optional]
drwxr-xr-xbind bind/var/named/etc/namedb/s [Optional]
drwxr-xr-xbind bind/var/named/etc/namedb/dump [Optional]
drwxr-xr-xroot wheel /var/named/dev
The directories I've marked optional are set up in my named.conf as
the locations for: 'p' -- zone files which this is the master for, 's'
-- zone files this server is a secondary for and 'dump' -- the default
location to dump named cache and statistics.
Copy the configuration files previously mentioned into place in
/var/named/etc/namedb.
Additionally you will need to:
cp /etc/localtime /var/named/etc/localtime
and you will need to set up the following character devices:
-r-xr-xr-x 1 root wheel 44235 Sep 25 2002 MAKEDEV* [FBSD 4.x only]
crw-rw-rw- 1 root wheel2, 2 Sep 25 2002 null
crw-r--r-- 1 root wheel2, 3 Sep 25 2002 random
crw-rw-rw- 1 root wheel 22, 2 Sep 25 2002 stderr
crw-rw-rw- 1 root wheel 22, 0 Sep 25 2002 stdin
crw-rw-rw- 1 root wheel 22, 1 Sep 25 2002 stdout
crw-rw-rw- 1 root wheel1, 0 Sep 25 2002 tty
crw-r--r-- 1 root wheel2, 4 Sep 25 2002 urandom
crw-rw-rw- 1 root wheel2, 12 Sep 25 2002 zero
Use MAKEDEV to do that under FreeBSD 4.x (Copy the original from
/dev/MAKEDEV). Under FreeBSD 5.x, set these devices up by editing
/etc/devd.conf -- see devd.conf(5).
Finally, if you want to log named(8) events via syslogd(8), you will
need to add to /etc/rc.conf:
syslogd_flags="-ss -l /var/named/var/run/log"
and that is really just about it, bar the usual chores of editing
named.conf(5) and maintaining the various DNS zone data files.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature