os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Completely revise section on running named in a sandbox.

Browse source 
Submitted by:	Ceri <setantae@submonkey.net>
PR:		docs/32381
This commit is contained in:
Chern Lee 2001-12-22 01:41:16 +00:00
parent ff3c3b231e
commit adfc20c931
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=11504
1 changed files with 215 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

306
en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
View file

@ -4150,8 +4150,8 @@ www IN CNAME @</programlisting>
<sect2info>
<authorgroup>
<author>
<firstname>Mike</firstname>
<surname>Makonnen</surname>
<firstname>Ceri</firstname>
<surname>Davies</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
@ -4166,105 +4166,229 @@ www IN CNAME @</programlisting>
<indexterm>
<primary><command>chroot</command></primary>
</indexterm>
<para>For added security you may want to run &man.named.8; in a
sandbox. This will reduce the potential damage should it be
compromised. If you include a sandbox directory in its command
line, named will &man.chroot.8;
into that directory immediately upon finishing processing its
command line. It is also a good idea to have named run as a
non-privileged user in the sandbox. The default FreeBSD install
contains a user bind with group bind. If we wanted the sandbox in
the <filename>/etc/namedb/sandbox</filename> directory the command
line for named would look like this:
</para>
<screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox &lt;path_to_named.conf> </userinput></screen>
<para>For added security you may want to run &man.named.8; as an
unprivileged user, and configure it to &man.chroot.8; into a
sandbox directory. This makes everything outside of the sandbox
inaccessible to the <application>named</application> daemon. Should
<application>named</application> be compromised, this will help to
reduce the damage that can be caused. By default, FreeBSD has a user
and a group called <groupname>bind</groupname>, intended for this
use.</para>
<para>The following steps should be taken in order to
successfully run named in a sandbox. Throughout the following
discussion we will assume the path to your sandbox is
<filename>/etc/namedb/sandbox</filename>
</para>
<note><para>Various people would recommend that instead of configuring
<application>named</application> to <command>chroot</command>, you
should run <application>named</application> inside a &man.jail.8;. This
section does not attempt to cover this situation.</para>
</note>
<para>Since <application>named</application> will not be able to
access anything outside of the sandbox (such as shared
libraries, log sockets, and so on), there are a number of steps
that need to be followed in order to allow
<application>named</application> to function correctly. In the
following checklist, it is assumed that the path to the sandbox
is <filename>/etc/namedb</filename> and that you have made no
prior modifications to the contents of this directory. Perform
the following steps as root.</para>
<itemizedlist>
<listitem>
<para>Create the sandbox directory:
<filename>/etc/namedb/sandbox</filename></para>
</listitem>
<listitem>
<para>Create other necessary directories off of the sandbox
directory: <filename>etc</filename> and
<filename>var/run</filename></para>
</listitem>
<listitem>
<para>copy <filename>/etc/localtime</filename> to
<filename>sandbox/etc</filename>
</para>
</listitem>
<listitem>
<para>make bind:bind the owner of all files and directories in
the sandbox:
<screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/sandbox</userinput> </screen>
<screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</userinput> </screen>
</para>
</listitem>
<listitem>
<para>Create all directories that <application>named</application>
expects to see:</para>
<screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
&prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
&prompt.root; <userinput>chown bind:bind slave var/*</userinput><co id="chown-slave"></screen>
<calloutlist>
<callout arearefs="chown-slave">
<para><application>named</application> only needs write access to
these directories, so that is all we give it.</para>
</callout>
</calloutlist>
</listitem>
<listitem>
<para>Rearrange and create basic zone and configuration files:</para>
<screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co id="localtime">
&prompt.root; <userinput>mv named.conf etc && ln -sf etc/named.conf</userinput>
&prompt.root; <userinput>mv named.root master</userinput>
<!-- I don't like this next bit -->
&prompt.root; <userinput>sh make-localhost && mv localhost.rev master</userinput>
&prompt.root; <userinput>cat > named.localhost
$ORIGIN localhost.
$TTL 6h
@ IN SOA localhost. postmaster.localhost. (
1 ; serial
3600 ; refresh
1800 ; retry
604800 ; expiration
3600 ) ; minimum
IN NS localhost.
IN A 127.0.0.1
^D</userinput></screen>
<calloutlist>
<callout arearefs="localtime">
<para>This allows <application>named</application> to log the
correct time to &man.syslogd.8;</para>
</callout>
</calloutlist>
</listitem>
<listitem>
<para>Build a statically linked copy of
<application>named-xfer</application>, and copy it into the sandbox:</para>
<screen>&prompt.root; <userinput>cd /usr/src/lib/libisc && make clean all</userinput>
&prompt.root; <userinput>cd /usr/src/lib/libbind && make clean all</userinput>
&prompt.root; <userinput>cd /usr/src/libexec/named-xfer && make NOSHARED=yes all</userinput>
&prompt.root; <userinput>cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer</userinput></screen>
</listitem>
<listitem>
<para>Make a <devicename>dev/null</devicename> that
<application>named</application> can see and write to:</para>
<screen>&prompt.root; <userinput>cd /etc/namedb/dev && mknod null c 2 2</userinput>
&prompt.root; <userinput>chmod 666 null</userinput></screen>
</listitem>
<listitem>
<para>Symlink <filename> /var/run/ndc</filename> to
<filename>/etc/namedb/var/run/ndc</filename>:</para>
<screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>
<note>
<para>This simply avoids having to specify the
<option>-c</option> option to &man.ndc.8; every time you
run it. If this is something that you find useful, you
may wish to add this entry to root's crontab, making use
of the <option>@reboot</option> option. See
&man.crontab.5; for more information regarding
this.</para>
</note>
</listitem>
<listitem>
<para>Configure &man.syslogd.8; to create an extra
<devicename>log</devicename> socket that
<application>named</application> can write to. To do this,
add <literal>-l /etc/namedb/dev/log</literal> to the
<varname>syslogd_flags</varname> variable in
<filename>/etc/rc.conf</filename>.</para>
</listitem>
<listitem>
<para>Arrange to have <application>named</application> start
and <command>chroot</command> itself to the sandbox by
adding the following to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
<note>
<para>Note that the configuration file
<replaceable>/etc/named.conf</replaceable> is denoted by a full
pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
the line above, the file referred to is actually
<filename>/etc/namedb/etc/named.conf</filename>/</para>
</note>
</listitem>
</itemizedlist>
<para>There are some issues you need to be aware of when running
named in a sandbox.</para>
<para>The next step is to edit
<filename>/etc/namedb/etc/named.conf</filename> so that
<application>named</application> knows which zones to load and
where to find them on the disk. There follows a commented
example (anything not specifically commented here is no
different from the setup for a DNS server not running in a
sandbox):</para>
<itemizedlist>
<listitem>
<para>Your &man.named.conf.5; file and all your zone files must
be in the sandbox
</para>
</listitem>
<listitem>
<para><filename>sandbox/etc/localtime</filename> is needed
in order to have the correct time for your time zone in
log messages.</para>
</listitem>
<listitem>
<para> &man.named.8; will write its process id to a file in
<filename>sandbox/var/run</filename></para>
</listitem>
<listitem>
<para>The Unix socket used for communication by the &man.ndc.8;
utility will be created in
<filename>sandbox/var/run</filename></para>
</listitem>
<listitem>
<para>When using the &man.ndc.8; utility you need to specify the
location of the Unix socket created in the sandbox, by
&man.named.8;, by using the -c switch:
<command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</command>
</para>
</listitem>
<listitem>
<para>If you enable logging to file, the log files must be
in the sandbox</para>
</listitem>
</itemizedlist>
<programlisting>options {
directory "/";<co id="directory">
named-xfer "/bin/named-xfer";<co id="named-xfer">
version ""; // Don't reveal BIND version
query-source address * port 53;
};
// ndc control socket
controls {
unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
// Zones follow:
zone "localhost" IN {
type master;
file "master/named.localhost";<co id="master">
allow-transfer { localhost; };
notify no;
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "master/named.loopback";
allow-transfer { localhost; };
notify no;
};
zone "." IN {
type hint;
file "master/named.root";
};
zone "private.example.net" in {
type master;
file "master/private.example.net.db";
allow-transfer { 192.168.10.0/24; };
};
zone "10.168.192.in-addr.arpa" in {
type slave;
masters { 192.168.10.2; };
file "slave/192.168.10.db";<co id="slave">
};</programlisting>
<para>&man.named.8; can be started in a sandbox properly, if the
following is in <filename>/etc/rc.conf</filename>:
</para>
<programlisting>named_flags="-u bind -g bind -t /etc/namedb/sandbox &lt;path_to_named.conf>"</programlisting>
</sect2>
<calloutlist>
<callout arearefs="directory">
<para>The
<literal>directory</literal> statement is specified as
<filename>/</filename>, since all files that
<application>named</application> needs are within this
directory (recall that this is equivalent to a
<quote>normal</quote> user's
<filename>/etc/namedb</filename>.</para>
</callout>
<sect2>
<title>How to Use the Name Server</title>
<callout arearefs="named-xfer">
<para>Specifies the full path
to the <command>named-xfer</command> binary (from
<application>named</application>'s frame of reference). This
is necessary since <application>named</application> is
compiled to look for <command>named-xfer</command> in
<filename>/usr/libexec</filename> by default.</para>
</callout>
<callout arearefs="master"><para>Specifies the filename (relative
to the <literal>directory</literal> statement above) where
<application>named</application> can find the zonefile for this
zone.</para>
</callout>
<callout arearefs="slave"><para>Specifies the filename
(relative to the <literal>directory</literal> statement above)
where <application>named</application> should write a copy of
the zonefile for this zone after successfully transferring it
from the master server. This is why we needed to change the
ownership of the directory <filename>slave</filename> to
<groupname>bind</groupname> in the setup stages above.</para>
</callout>
</calloutlist>
<para>If setup properly, the name server should be accessible through
the network and locally. <filename>/etc/resolv.conf</filename> must
contain a name server entry with the local IP address so it will query the
local name server first.
</para>
<para>After completing the steps above, either reboot your
server or restart &man.syslogd.8 and start &man.named.8, making
sure to use the new options specified in
<varname>syslogd_flags</varname> and
<varname>named_flags</varname>. You should now be running a
sandboxed copy of <application>named</application>!</para>
<para>
To access it over the network, the machine must have the
name server's IP address set properly in its own name server
configuration options.
</para>
</sect2>
<sect2>