Running BIND in a Sandbox

Previous page
Table of content
Next page

As you saw in Chapter 27, "Configuring an FTP Server," it's often advisable (for security purposes) to run certain services within what's known as a sandbox, or a directory structure that's been pruned off so as to appear that it's all that exists in the filesystem. In FTP, this is known as a chroot jail; the effective "root" of the filesystem is changed so that the server and the processes it creates cannot see outside their own directory structure above a certain point. BIND provides the same kind of capability, although most of the documentation refers to it as a "sandbox" rather than as a "chroot jail." The concept is the same, however.

FreeBSD runs named in a sandbox by default. (This is a precaution that was taken in response to a number of security flaws found in named in recent years.) The sandbox root is the /var/named directory; if you look inside this directory you'll find subdirectories named dev, etc, and var, all of which are necessary to the internal operation of named (which cannot see into the real /dev, /etc, and /var directories when it's running in chroot mode). Indeed, a second device filesystem (devfs) is mounted at /var/named/dev if you enable named. This may look surprising when you see it in the output of df, but rest assured that it's necessary for named to operate properly in the sandbox.

A set of symbolic links is in place to ensure that you don't have to deal with the esoteric /var/named directory tree. /etc/namedb, TRaditionally the configuration directory for named, is a symlink in FreeBSD that points to /var/named/etc/namedb; thus, you can put your zone files inside /etc/namedb/master, and they'll actually be going into /var/named/edc/namedb/master, the correct location within the chroot sandbox.

Tip

The default configuration of running named in a sandbox was instituted in the middle of the FreeBSD 5.x series. Prior to that, zone files were kept directly in /etc/namedb, which at the time was a regular directory. If you're maintaining a legacy installation of FreeBSD, you should migrate your zone files to the new layout by copying them into /var/named/etc/namedb/master (or slave), and then removing the /etc/namedb directory and replacing it with a symlink to /var/named/etc/namedb. This will allow the /etc/rc/named script to launch named properly with its chroot protections.


It's inadvisable to try to turn off or defeat the sandbox behavior of named, but sometimes it's what the situation demands. If you absolutely have to run named outside its sandbox, you can do so by adding the following line to /etc/rc.conf:

named_chrootdir=""




Previous page
Table of content
Next page
FreeBSD 6 Unleashed
FreeBSD 6 Unleashed
ISBN: 0672328755
EAN: 2147483647
Year: 2006
Pages: 355
Authors: Brian Tiemann
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Certified Ethical Hacker Exam Prep
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
C++ How to Program (5th Edition)
Cisco CallManager Fundamentals (2nd Edition)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy