diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml index 085dab698f..a4e7cdde20 100644 --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml @@ -4150,8 +4150,8 @@ www IN CNAME @ - Mike - Makonnen + Ceri + Davies Contributed by @@ -4166,105 +4166,229 @@ www IN CNAME @ chroot - For added security you may want to run &man.named.8; in a - sandbox. This will reduce the potential damage should it be - compromised. If you include a sandbox directory in its command - line, named will &man.chroot.8; - into that directory immediately upon finishing processing its - command line. It is also a good idea to have named run as a - non-privileged user in the sandbox. The default FreeBSD install - contains a user bind with group bind. If we wanted the sandbox in - the /etc/namedb/sandbox directory the command - line for named would look like this: - - &prompt.root; /usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf> + For added security you may want to run &man.named.8; as an + unprivileged user, and configure it to &man.chroot.8; into a + sandbox directory. This makes everything outside of the sandbox + inaccessible to the named daemon. Should + named be compromised, this will help to + reduce the damage that can be caused. By default, FreeBSD has a user + and a group called bind, intended for this + use. - The following steps should be taken in order to - successfully run named in a sandbox. Throughout the following - discussion we will assume the path to your sandbox is - /etc/namedb/sandbox - + Various people would recommend that instead of configuring + named to chroot, you + should run named inside a &man.jail.8;. This + section does not attempt to cover this situation. + + + Since named will not be able to + access anything outside of the sandbox (such as shared + libraries, log sockets, and so on), there are a number of steps + that need to be followed in order to allow + named to function correctly. In the + following checklist, it is assumed that the path to the sandbox + is /etc/namedb and that you have made no + prior modifications to the contents of this directory. Perform + the following steps as root. - - Create the sandbox directory: - /etc/namedb/sandbox - - - Create other necessary directories off of the sandbox - directory: etc and - var/run - - - copy /etc/localtime to - sandbox/etc - - - - make bind:bind the owner of all files and directories in - the sandbox: - &prompt.root; chown -R bind:bind /etc/namedb/sandbox - &prompt.root; chmod -R 750 /etc/namedb/sandbox - - + + Create all directories that named + expects to see: + + &prompt.root; cd /etc/namedb +&prompt.root; mkdir -p bin dev etc var/tmp var/run master slave +&prompt.root; chown bind:bind slave var/* + + + + + + named only needs write access to + these directories, so that is all we give it. + + + + + + Rearrange and create basic zone and configuration files: + &prompt.root; cp /etc/localtime etc +&prompt.root; mv named.conf etc && ln -sf etc/named.conf +&prompt.root; mv named.root master + +&prompt.root; sh make-localhost && mv localhost.rev master +&prompt.root; cat > named.localhost +$ORIGIN localhost. +$TTL 6h +@ IN SOA localhost. postmaster.localhost. ( + 1 ; serial + 3600 ; refresh + 1800 ; retry + 604800 ; expiration + 3600 ) ; minimum + IN NS localhost. + IN A 127.0.0.1 +^D + + + + This allows named to log the + correct time to &man.syslogd.8; + + + + + + Build a statically linked copy of + named-xfer, and copy it into the sandbox: + + &prompt.root; cd /usr/src/lib/libisc && make clean all +&prompt.root; cd /usr/src/lib/libbind && make clean all +&prompt.root; cd /usr/src/libexec/named-xfer && make NOSHARED=yes all +&prompt.root; cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer + + + + Make a dev/null that + named can see and write to: + + &prompt.root; cd /etc/namedb/dev && mknod null c 2 2 +&prompt.root; chmod 666 null + + + + Symlink /var/run/ndc to + /etc/namedb/var/run/ndc: + + &prompt.root; ln -sf /etc/namedb/var/run/ndc /var/run/ndc + + + This simply avoids having to specify the + option to &man.ndc.8; every time you + run it. If this is something that you find useful, you + may wish to add this entry to root's crontab, making use + of the option. See + &man.crontab.5; for more information regarding + this. + + + + + + Configure &man.syslogd.8; to create an extra + log socket that + named can write to. To do this, + add -l /etc/namedb/dev/log to the + syslogd_flags variable in + /etc/rc.conf. + + + + Arrange to have named start + and chroot itself to the sandbox by + adding the following to + /etc/rc.conf: + + named_enable="YES" +named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf" + + + Note that the configuration file + /etc/named.conf is denoted by a full + pathname relative to the sandbox, i.e. in + the line above, the file referred to is actually + /etc/namedb/etc/named.conf/ + + - There are some issues you need to be aware of when running - named in a sandbox. + The next step is to edit + /etc/namedb/etc/named.conf so that + named knows which zones to load and + where to find them on the disk. There follows a commented + example (anything not specifically commented here is no + different from the setup for a DNS server not running in a + sandbox): - - - Your &man.named.conf.5; file and all your zone files must - be in the sandbox - - - - sandbox/etc/localtime is needed - in order to have the correct time for your time zone in - log messages. - - - &man.named.8; will write its process id to a file in - sandbox/var/run - - - The Unix socket used for communication by the &man.ndc.8; - utility will be created in - sandbox/var/run - - - When using the &man.ndc.8; utility you need to specify the - location of the Unix socket created in the sandbox, by - &man.named.8;, by using the -c switch: - &prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc - - - - If you enable logging to file, the log files must be - in the sandbox - - + options { + directory "/"; + named-xfer "/bin/named-xfer"; + version ""; // Don't reveal BIND version + query-source address * port 53; +}; +// ndc control socket +controls { + unix "/var/run/ndc" perm 0600 owner 0 group 0; +}; +// Zones follow: +zone "localhost" IN { + type master; + file "master/named.localhost"; + allow-transfer { localhost; }; + notify no; +}; +zone "0.0.127.in-addr.arpa" IN { + type master; + file "master/named.loopback"; + allow-transfer { localhost; }; + notify no; +}; +zone "." IN { + type hint; + file "master/named.root"; +}; +zone "private.example.net" in { + type master; + file "master/private.example.net.db"; + allow-transfer { 192.168.10.0/24; }; +}; +zone "10.168.192.in-addr.arpa" in { + type slave; + masters { 192.168.10.2; }; + file "slave/192.168.10.db"; +}; - &man.named.8; can be started in a sandbox properly, if the - following is in /etc/rc.conf: - - named_flags="-u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf>" - + + + The + directory statement is specified as + /, since all files that + named needs are within this + directory (recall that this is equivalent to a + normal user's + /etc/namedb. + - - How to Use the Name Server + + Specifies the full path + to the named-xfer binary (from + named's frame of reference). This + is necessary since named is + compiled to look for named-xfer in + /usr/libexec by default. + + Specifies the filename (relative + to the directory statement above) where + named can find the zonefile for this + zone. + + Specifies the filename + (relative to the directory statement above) + where named should write a copy of + the zonefile for this zone after successfully transferring it + from the master server. This is why we needed to change the + ownership of the directory slave to + bind in the setup stages above. + + - If setup properly, the name server should be accessible through - the network and locally. /etc/resolv.conf must - contain a name server entry with the local IP address so it will query the - local name server first. - + After completing the steps above, either reboot your + server or restart &man.syslogd.8 and start &man.named.8, making + sure to use the new options specified in + syslogd_flags and + named_flags. You should now be running a + sandboxed copy of named! - - To access it over the network, the machine must have the - name server's IP address set properly in its own name server - configuration options. -