Re: Running named in a sandbox...problems with /var/run/named.pid
On Tue, Jan 07, 2003 at 01:06:45AM -0600, Jon W. Backstrom wrote: Dear FreeBSD Community, I am trying to run named (bind) in a sandbox using the default flags found in the config files. I've got this in my /etc/rc.conf file: named_enable=YES # Run named, the DNS server (or NO). named_flags=-u bind -g bind # Flags for named I also did a chown -R bind:bind to my secondaary DNS directory, so all updates work with the new bind userID and group (53). [/etc/group] bind:*:53: The problem comes when I use /usr/sbin/named.reload ... I get an error message that named can't write the /var/run/named.pid file. You need to make a var/run/ in named's sandbox root. By the time it writes its pidfile, it has already done the chroot() syscall, and cannot see anything outside its own new root. For the sake of other apps that don't run in the same sandbox, you can always symlink the new sandboxed pidfile to the /var/run/named.pid. You should restore the permissions on /var/run, and ensure that your named/bind user has permission to write to the new one you just created. At least, this is how I interpreted your problem. Forgive me if you have already done these things... Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Running named in a sandbox...problems with /var/run/named.pid
Dear FreeBSD Community, I am trying to run named (bind) in a sandbox using the default flags found in the config files. I've got this in my /etc/rc.conf file: named_enable=YES # Run named, the DNS server (or NO). named_flags=-u bind -g bind # Flags for named I also did a chown -R bind:bind to my secondaary DNS directory, so all updates work with the new bind userID and group (53). [/etc/group] bind:*:53: The problem comes when I use /usr/sbin/named.reload ... I get an error message that named can't write the /var/run/named.pid file. It seems unable to delete and rewrite named.pid. I've tried various group permissions for /var/run to allow the bind user to create this file, but I can't seem to make this error go away. Is there an obvious trick to running named in a sandbox under the FreeBSD 4.7 standard distro? Thank you! Jon Backstrom [EMAIL PROTECTED] P.S. - In the /etc/defaults/rc.conf file, there is a comment that it *may* be possible to run named in a sandbox...but the docs in man security don't mention anyting about the problems with /var/run/named.pid. # named. It may be possible to run named in a sandbox, man security for # details. # named_enable=NO # Run named, the DNS server (or NO). named_program=/usr/sbin/named # path to named, if you want a different one. #named_flags=-u bind -g bind # Flags for named To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Running named in a sandbox...problems with /var/run/named.pid
Hi, On Tue, 2003-01-07 at 07:06, Jon W. Backstrom wrote: Dear FreeBSD Community, I am trying to run named (bind) in a sandbox using the default flags found in the config files. I've got this in my /etc/rc.conf file: named_enable=YES # Run named, the DNS server (or NO). named_flags=-u bind -g bind # Flags for named I also did a chown -R bind:bind to my secondaary DNS directory, so all updates work with the new bind userID and group (53). [/etc/group] bind:*:53: You might want to check against the procedures laid out in the Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX) so as to ensure that you have indeed performed all of the required steps. In particular: Make a dev/null that named can see and write to Symlink /var/run/ndc to /etc/namedb/var/run/ndc Configure syslogd(8) to create an extra log socket that named can write to Arrange to have named start and chroot itself to the sandbox by adding corresponding lines to /etc/rc.conf Hope this helps. Regards, Stacey The problem comes when I use /usr/sbin/named.reload ... I get an error message that named can't write the /var/run/named.pid file. It seems unable to delete and rewrite named.pid. I've tried various group permissions for /var/run to allow the bind user to create this file, but I can't seem to make this error go away. Is there an obvious trick to running named in a sandbox under the FreeBSD 4.7 standard distro? Thank you! Jon Backstrom [EMAIL PROTECTED] P.S. - In the /etc/defaults/rc.conf file, there is a comment that it *may* be possible to run named in a sandbox...but the docs in man security don't mention anyting about the problems with /var/run/named.pid. # named. It may be possible to run named in a sandbox, man security for # details. # named_enable=NO # Run named, the DNS server (or NO). named_program=/usr/sbin/named # path to named, if you want a different one. #named_flags=-u bind -g bind # Flags for named To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message