Completely revise section on running named in a sandbox.

Submitted by:	Ceri <setantae@submonkey.net>
PR:		docs/32381

en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml

@@ -4150,8 +4150,8 @@ www             IN CNAME        @</programlisting>
       <sect2info>
         <authorgroup>
           <author>
-            <firstname>Mike</firstname>
+            <firstname>Ceri</firstname>
-            <surname>Makonnen</surname>
+            <surname>Davies</surname>
             <contrib>Contributed by </contrib>
           </author>
         </authorgroup>
@@ -4166,105 +4166,229 @@ www             IN CNAME        @</programlisting>
       <indexterm>
         <primary><command>chroot</command></primary>
       </indexterm>
-      <para>For added security you may want to run &man.named.8; in a 
+      <para>For added security you may want to run &man.named.8; as an
-        sandbox. This will reduce the potential damage should it be 
+	unprivileged user, and configure it to &man.chroot.8; into a
-        compromised. If you include a sandbox directory in its command 
+	sandbox directory. This makes everything outside of the sandbox
-        line, named will &man.chroot.8;
+	inaccessible to the <application>named</application> daemon. Should
-        into that directory immediately upon finishing processing its
+	<application>named</application> be compromised, this will help to
-        command line. It is also a good idea to have named run as a
+	reduce the damage that can be caused. By default, FreeBSD has a user
-        non-privileged user in the sandbox. The default FreeBSD install
+	and a group called <groupname>bind</groupname>, intended for this 
-        contains a user bind with group bind. If we wanted the sandbox in
+	use.</para>
-        the <filename>/etc/namedb/sandbox</filename> directory the command 
-        line for named would look like this:
-      </para>
-      <screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox &lt;path_to_named.conf> </userinput></screen>
 
-      <para>The following steps should be taken in order to 
+      <note><para>Various people would recommend that instead of configuring
-        successfully run named in a sandbox. Throughout the following 
+	<application>named</application> to <command>chroot</command>, you
-        discussion we will assume the path to your sandbox is 
+	should run <application>named</application> inside a &man.jail.8;. This
-        <filename>/etc/namedb/sandbox</filename>
+	section does not attempt to cover this situation.</para>
-      </para>
+      </note>
+
+      <para>Since <application>named</application> will not be able to
+	access anything outside of the sandbox (such as shared
+	libraries, log sockets, and so on), there are a number of steps
+	that need to be followed in order to allow
+	<application>named</application> to function correctly. In the
+	following checklist, it is assumed that the path to the sandbox
+	is <filename>/etc/namedb</filename> and that you have made no
+	prior modifications to the contents of this directory. Perform
+	the following steps as root.</para>
 
       <itemizedlist>
-        <listitem>
+	<listitem>
-          <para>Create the sandbox directory: 
+	  <para>Create all directories that <application>named</application>
-            <filename>/etc/namedb/sandbox</filename></para>
+	    expects to see:</para>
-        </listitem>
+
-        <listitem>
+	  <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
-        <para>Create other necessary directories off of the sandbox
+&prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
-          directory: <filename>etc</filename> and 
+&prompt.root; <userinput>chown bind:bind slave var/*</userinput><co id="chown-slave"></screen>
-          <filename>var/run</filename></para>
+
-        </listitem>
+
-        <listitem>
+
-         <para>copy <filename>/etc/localtime</filename> to 
+	  <calloutlist>
-           <filename>sandbox/etc</filename>
+	    <callout arearefs="chown-slave">
-         </para>
+	      <para><application>named</application> only needs write access to
-        </listitem>
+		these directories, so that is all we give it.</para>
-        <listitem>
+	    </callout>
-          <para>make bind:bind the owner of all files and directories in 
+	  </calloutlist>
-            the sandbox:
+	</listitem>
-            <screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/sandbox</userinput> </screen>
+
-            <screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</userinput> </screen>
+	<listitem>
-          </para>
+	  <para>Rearrange and create basic zone and configuration files:</para>
-        </listitem>
+	  <screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co id="localtime">
+&prompt.root; <userinput>mv named.conf etc && ln -sf etc/named.conf</userinput>
+&prompt.root; <userinput>mv named.root master</userinput>
+<!-- I don't like this next bit -->
+&prompt.root; <userinput>sh make-localhost && mv localhost.rev master</userinput>
+&prompt.root; <userinput>cat > named.localhost
+$ORIGIN localhost.
+$TTL 6h
+@	IN	SOA	localhost. postmaster.localhost. (
+			1	; serial
+			3600	; refresh
+			1800	; retry
+			604800	; expiration
+			3600 )	; minimum
+	IN	NS	localhost.
+	IN	A		127.0.0.1
+^D</userinput></screen>
+
+	  <calloutlist>
+	    <callout arearefs="localtime">
+	      <para>This allows <application>named</application> to log the
+		correct time to &man.syslogd.8;</para>
+	    </callout>
+	  </calloutlist>
+	</listitem>
+
+	<listitem>
+	  <para>Build a statically linked copy of
+	    <application>named-xfer</application>, and copy it into the sandbox:</para>
+
+	      <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc && make clean all</userinput>
+&prompt.root; <userinput>cd /usr/src/lib/libbind && make clean all</userinput>
+&prompt.root; <userinput>cd /usr/src/libexec/named-xfer && make NOSHARED=yes all</userinput>
+&prompt.root; <userinput>cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer</userinput></screen>
+	</listitem>
+
+	<listitem>
+	  <para>Make a <devicename>dev/null</devicename> that
+	    <application>named</application> can see and write to:</para>
+
+	  <screen>&prompt.root; <userinput>cd /etc/namedb/dev && mknod null c 2 2</userinput>
+&prompt.root; <userinput>chmod 666 null</userinput></screen>
+	</listitem>
+
+	<listitem>
+	  <para>Symlink <filename> /var/run/ndc</filename> to
+	    <filename>/etc/namedb/var/run/ndc</filename>:</para>
+
+	  <screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>
+
+	  <note>
+	    <para>This simply avoids having to specify the
+	      <option>-c</option> option to &man.ndc.8; every time you
+	      run it.  If this is something that you find useful, you
+	      may wish to add this entry to root's crontab, making use
+	      of the <option>@reboot</option> option. See
+	      &man.crontab.5; for more information regarding
+	      this.</para>
+	  </note>
+
+	</listitem>
+
+	<listitem>
+	  <para>Configure &man.syslogd.8; to create an extra
+	    <devicename>log</devicename> socket that
+	    <application>named</application> can write to. To do this,
+	    add <literal>-l /etc/namedb/dev/log</literal> to the
+	    <varname>syslogd_flags</varname> variable in
+	    <filename>/etc/rc.conf</filename>.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Arrange to have <application>named</application> start
+	    and <command>chroot</command> itself to the sandbox by
+	    adding the following to
+	    <filename>/etc/rc.conf</filename>:</para>
+
+	  <programlisting>named_enable="YES"
+named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
+
+	  <note>
+	    <para>Note that the configuration file 
+	    <replaceable>/etc/named.conf</replaceable> is denoted by a full
+	    pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
+	    the line above, the file referred to is actually
+	    <filename>/etc/namedb/etc/named.conf</filename>/</para>
+	  </note>
+	</listitem>
       </itemizedlist>
 
-      <para>There are some issues you need to be aware of when running
+      <para>The next step is to edit
-         named in a sandbox.</para>
+	<filename>/etc/namedb/etc/named.conf</filename> so that
+	<application>named</application> knows which zones to load and
+	where to find them on the disk. There follows a commented
+	example (anything not specifically commented here is no
+	different from the setup for a DNS server not running in a
+	sandbox):</para>
 
-      <itemizedlist>
+	<programlisting>options {
-        <listitem>
+        directory "/";<co id="directory">
-        <para>Your &man.named.conf.5; file and all your zone files must 
+        named-xfer "/bin/named-xfer";<co id="named-xfer">
-           be in the sandbox
+        version "";		// Don't reveal BIND version
-          </para>
+        query-source address * port 53;
-        </listitem>
+};
-        <listitem>
+// ndc control socket
-          <para><filename>sandbox/etc/localtime</filename> is needed
+controls {
-            in order to have the correct time for your time zone in
+        unix "/var/run/ndc" perm 0600 owner 0 group 0;
-            log messages.</para>
+};
-        </listitem>
+// Zones follow:
-        <listitem>
+zone "localhost" IN {
-         <para> &man.named.8; will write its process id to a file in
+        type master;
-         <filename>sandbox/var/run</filename></para>
+        file "master/named.localhost";<co id="master">
-        </listitem>
+        allow-transfer { localhost; };
-        <listitem>
+        notify no;
-          <para>The Unix socket used for communication by the &man.ndc.8;
+};
-            utility will be created in 
+zone "0.0.127.in-addr.arpa" IN {
-            <filename>sandbox/var/run</filename></para>
+        type master;
-        </listitem>
+        file "master/named.loopback";
-        <listitem>
+        allow-transfer { localhost; };
-          <para>When using the &man.ndc.8; utility you need to specify the
+        notify no;
-            location of the Unix socket created in the sandbox, by
+};
-            &man.named.8;, by using the -c switch:
+zone "." IN {
-            <command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</command>
+        type hint;
-	  </para>
+        file "master/named.root";
-        </listitem>
+};
-        <listitem>
+zone "private.example.net" in {
-          <para>If you enable logging to file, the log files must be
+        type master;
-          in the sandbox</para>
+        file "master/private.example.net.db";
-        </listitem>
+	allow-transfer { 192.168.10.0/24; };
-      </itemizedlist>
+};
+zone "10.168.192.in-addr.arpa" in {
+        type slave;
+        masters { 192.168.10.2; };
+        file "slave/192.168.10.db";<co id="slave">
+};</programlisting>
 
-      <para>&man.named.8; can be started in a sandbox properly, if the
+      <calloutlist>
-        following is in <filename>/etc/rc.conf</filename>:
+	<callout arearefs="directory">
-      </para>
+	  <para>The
-      <programlisting>named_flags="-u bind -g bind -t /etc/namedb/sandbox &lt;path_to_named.conf>"</programlisting>
+	    <literal>directory</literal> statement is specified as
-    </sect2>
+	    <filename>/</filename>, since all files that
+	    <application>named</application> needs are within this
+	    directory (recall that this is equivalent to a
+	    <quote>normal</quote> user's
+	    <filename>/etc/namedb</filename>.</para>
+	</callout>
 
-    <sect2>
+	<callout arearefs="named-xfer">
-      <title>How to Use the Name Server</title>
+	  <para>Specifies the full path
+	    to the <command>named-xfer</command> binary (from
+	    <application>named</application>'s frame of reference).  This
+	    is necessary since <application>named</application> is
+	    compiled to look for <command>named-xfer</command> in
+	    <filename>/usr/libexec</filename> by default.</para>
+	</callout>
+	<callout arearefs="master"><para>Specifies the filename (relative
+	  to the <literal>directory</literal> statement above) where
+	  <application>named</application> can find the zonefile for this
+	  zone.</para>
+	</callout>
+	<callout arearefs="slave"><para>Specifies the filename
+	    (relative to the <literal>directory</literal> statement above)
+	    where <application>named</application> should write a copy of
+	    the zonefile for this zone after successfully transferring it
+	    from the master server.  This is why we needed to change the
+	    ownership of the directory <filename>slave</filename> to
+	    <groupname>bind</groupname> in the setup stages above.</para>
+	</callout>
+      </calloutlist>
 
-      <para>If setup properly, the name server should be accessible through 
+      <para>After completing the steps above, either reboot your
-        the network and locally.  <filename>/etc/resolv.conf</filename> must 
+	server or restart &man.syslogd.8 and start &man.named.8, making
-        contain a name server entry with the local IP address so it will query the 
+	sure to use the new options specified in
-        local name server first.
+	<varname>syslogd_flags</varname> and
-      </para>
+	<varname>named_flags</varname>. You should now be running a
+	sandboxed copy of <application>named</application>!</para>
 
-      <para>
-        To access it over the network, the machine must have the
-        name server's IP address set properly in its own name server
-        configuration options.
-      </para>
     </sect2>
 
     <sect2>