Attachment #17909 for bug #32381

View | Details | Raw Unified | Return to bug 32381
Collapse All | Expand All




	will cover in the <link linkend="routing-default">next
	  section</link>) and the <hostid>localhost</hostid> route.</para>
	  
<indexterm><primary>loopback device</primary></indexterm>
<para>The interface (<literal>Netif</literal> column) that it specifies
to use for <literal>localhost</literal> is
<devicename>lo0</devicename>, also known as the loopback device.  This
	says to keep all traffic for this destination internal, rather than
	sending it out over the LAN, since it will only end up back where it
	started.</para>

      <sect2info>
        <authorgroup>
          <author>
            <firstname>Ceri</firstname>
            <surname>Davies</surname>
	    <address><email>setantae@submonkey.net</email></address>
            <contrib>Contributed by </contrib>
          </author>
        </authorgroup>

      <indexterm>
        <primary><command>chroot</command></primary>
      </indexterm>
      <para>For added security you may want to run &man.named.8; as an
	unprivileged user, and configure it to &man.chroot.8; into a
	sandbox directory. This makes everything outside of the sandbox
	inaccessible to the <application>named</application> daemon. Should
	<application>named</application> be compromised, this will help to
	reduce the damage that can be caused. By default, FreeBSD has a user
	and a group called <quote>bind</quote>, intended for this use.</para>

      <para><note>Various people would recommend that instead of configuring
	<application>named</application> to <command>chroot</command>, you
	should run <application>named</application> inside a &man.jail.8;. This
	section does not attempt to cover this situation.</note></para>

      <para>Since <application>named</application> will not be able to
	access anything outside of the sandbox (such as shared libraries,
	log sockets, etc.), there are a number of steps that need to be
	followed in order to allow <application>named</application> to
	function correctly. In the following checklist, it is assumed
	that the path to the sandbox is <filename>/etc/namedb</filename>
	and that you have made no prior modifications to the contents of
	this directory. Perform the following steps as root.</para>

      <itemizedlist>
	<listitem>
	  <para>Create all directories that <application>named</application>
	    expects to see:</para>
        </listitem>
        <listitem>
        <para>Create other necessary directories off of the sandbox
          directory: <filename>etc</filename> and 
          <filename>var/run</filename></para>
        </listitem>
        <listitem>
         <para>copy <filename>/etc/localtime</filename> to 
           <filename>sandbox/etc</filename>
         </para>
        </listitem>
        <listitem>
          <para>make bind:bind the owner of all files and directories in 
            the sandbox:
            <screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/sandbox</userinput> </screen>
            <screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</userinput> </screen>
          </para>
        </listitem>
      </itemizedlist>

	  <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
&prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
&prompt.root; <userinput>chown bind:bind slave var/*</userinput></screen><co id="chown-slave"></co>

	  <calloutlist>
	    <callout arearefs="chown-slave">
	      <para><application>named</application> only needs write access to
		these directories, so that is all we give it.</para>
	    </callout>
	  </calloutlist>
	</listitem>
	<listitem>
	  <para>Rearrange and create basic zone and configuration files:</para>
	  <screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co id="localtime"></co>
&prompt.root; <userinput>mv named.conf etc && ln -sf etc/named.conf</userinput>
&prompt.root; <userinput>mv named.root master</userinput>
<!-- I don't like this next bit -->
&prompt.root; <userinput>sh make-localhost && mv localhost.rev master</userinput>
&prompt.root; <userinput>cat > named.localhost
$ORIGIN localhost.
$TTL 6h
@	IN	SOA	localhost. postmaster.localhost. (
			1	; serial
			3600	; refresh
			1800	; retry
			604800	; expiration
			3600 )	; minimum
	IN	NS	localhost.
	IN	A		127.0.0.1
^D</userinput></screen>
        </listitem>
        <listitem>
          <para>If you enable logging to file, the log files must be
          in the sandbox</para>
        </listitem>
      </itemizedlist>

	  <calloutlist>
	    <callout arearefs="localtime">
	      <para>This allows <application>named</application> to log the
		correct time to &man.syslogd.8;</para>
	    </callout>
	  </calloutlist>
	</listitem>
	<listitem>
	  <para>Build a statically linked copy of
	    <application>named-xfer</application>, and copy it into the sandbox:</para>

	      <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc && make clean all</userinput>
&prompt.root; <userinput>cd /usr/src/lib/libbind && make clean all</userinput>
&prompt.root; <userinput>cd /usr/src/libexec/named-xfer && make NOSHARED=yes all</userinput>
&prompt.root; <userinput>cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer</userinput></screen>
	</listitem>
	<listitem>
	  <para>Make a <devicename>dev/null</devicename> that
	    <application>named</application> can see and write to:</para>

	  <screen>&prompt.root; <userinput>cd /etc/namedb/dev && mknod null c 2 2</userinput>
&prompt.root; <userinput>chmod 666 null</userinput></screen>
	</listitem>
	<listitem>
	  <para>Symlink <filename> /var/run/ndc</filename> to
	    <filename>/etc/namedb/var/run/ndc</filename>:</para>

	  <screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>

	  <para><note>This simply avoids having to specify the <option>-c</option>
	    option to &man.ndc.8; every time you run it.  If this is something
	    that you find useful, you may wish to add this entry to root's
	    crontab, making use of the <option>@reboot</option> option. See
	    &man.crontab.5; for more information regarding this.</note></para>
	</listitem>
	<listitem>
	  <para>Configure &man.syslogd.8; to create an extra <devicename>log</devicename>
	    socket that <application>named</application> can write to. To do
	    this, add <literal>-l /etc/namedb/dev/log</literal> to the
	    <variable>syslogd_flags</variable> variable in
	    <filename>/etc/rc.conf</filename>.</para>
	</listitem>
	<listitem>
	  <para>Arrange to have <application>named</application> start and
	  <command>chroot</command> itself to the sandbox by adding the following
	  to <filename>/etc/rc.conf</filename>:</para>
	  <programlisting>named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>

	  <para><note>Note that the configuration file 
	    <replaceable>/etc/named.conf</replaceable> is denoted by a full
	    pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
	    the line above, the file referred to is actually
	    <filename>/etc/namedb/etc/named.conf</filename>/</note></para>
	</listitem>
      </itemizedlist>

      <para>The next step is to edit <filename>/etc/namedb/etc/named.conf</filename>
      so that <application>named</application> knows which zones to load and
      where to find them on the disk. There follows a commented example 
      (anything not specifically commented here is no different from the
      setup for a DNS server not running in a sandbox):</para>

	<programlisting>options {
        directory "/";<co id="directory"></co>
        named-xfer "/bin/named-xfer";<co id="named-xfer"></co>
        version "";		// Don't reveal BIND version
        query-source address * port 53;
};
// ndc control socket
controls {
        unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
// Zones follow:
zone "localhost" IN {
        type master;
        file "master/named.localhost";<co id="master"></co>
        allow-transfer { localhost; };
        notify no;
};
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "master/named.loopback";
        allow-transfer { localhost; };
        notify no;
};
zone "." IN {
        type hint;
        file "master/named.root";
};
zone "private.example.net" in {
        type master;
        file "master/private.example.net.db";
	allow-transfer { 192.168.10.0/24; };
};
zone "10.168.192.in-addr.arpa" in {
        type slave;
        masters { 192.168.10.2; };
        file "slave/192.168.10.db";<co id="slave"></co>
};</programlisting>

      <calloutlist>
	<callout arearefs="directory"><para>The <literal>directory</literal>
	  statement is specified as <filename>/</filename>, since all files
	  that <application>named</application> needs are within this directory 
	  (recall that this is equivalent to a <quote>normal</quote> user's
	  <filename>/etc/namedb</filename>.</para>
	</callout>
	<callout arearefs="named-xfer"><para>Specifies the full path to the
	  <command>named-xfer</command> binary (from <application>named</application>'s
	  frame of reference).  This is necessary since <application>named</application>
	  is compiled to look for <command>named-xfer</command> in
	  <filename>/usr/libexec</filename> by default.</para>
	</callout>
	<callout arearefs="master"><para>Specifies the filename (relative
	  to the <literal>directory</literal> statement above) where
	  <application>named</application> can find the zonefile for this
	  zone.</para>
	</callout>
	<callout arearefs="slave"><para>Specifies the filename (relative
	  to the <literal>directory</literal> statement above) where
	  <application>named</application> should write a copy of the
	  zonefile for this zone after successfully transferring it from
	  the master server.  This is why we needed to change the ownership
	  of the directory <filename>slave</filename> to <quote>bind</quote>
	  in the setup stages above.</para>
	</callout>
      </calloutlist>

      <para>After completing the steps above, either reboot your server or
	restart &man.syslogd.8 and start &man.named.8, making sure to use the
	new options specified in <variable>syslogd_flags</variable> and
	<variable>named_flags</variable>. You should now be running a sandboxed
	copy of <application>named</application>!</para>

      <para>
        To access it over the network, the machine must have the
        name server's IP address set properly in its own name server
        configuration options.
      </para>
    </sect2>

    <sect2>

Return to bug 32381

Lines 131-140 Link Here

(-)doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml (-97 / +192 lines)
131	will cover in the <link linkend="routing-default">next	131	will cover in the <link linkend="routing-default">next
132	section</link>) and the <hostid>localhost</hostid> route.</para>	132	section</link>) and the <hostid>localhost</hostid> route.</para>
133		133
134	<indexterm><primary>loopback device</primary></indexterm>	134	<indexterm><primary>loopback device</primary></indexterm>
135	<para>The interface (<literal>Netif</literal> column) that it specifies	135	<para>The interface (<literal>Netif</literal> column) that it specifies
136	to use for <literal>localhost</literal> is	136	to use for <literal>localhost</literal> is
137	<devicename>lo0</devicename>, also known as the loopback device. This	137	<devicename>lo0</devicename>, also known as the loopback device. This
138	says to keep all traffic for this destination internal, rather than	138	says to keep all traffic for this destination internal, rather than
139	sending it out over the LAN, since it will only end up back where it	139	sending it out over the LAN, since it will only end up back where it
140	started.</para>	140	started.</para>
Lines 4150-4157 Link Here
4150	<sect2info>	4150	<sect2info>
4151	<authorgroup>	4151	<authorgroup>
4152	<author>	4152	<author>
4153	<firstname>Mike</firstname>	4153	<firstname>Ceri</firstname>
4154	<surname>Makonnen</surname>	4154	<surname>Davies</surname>
		4155	<address><email>setantae@submonkey.net</email></address>
4155	<contrib>Contributed by </contrib>	4156	<contrib>Contributed by </contrib>
4156	</author>	4157	</author>
4157	</authorgroup>	4158	</authorgroup>
Lines 4166-4270 Link Here
4166	<indexterm>	4167	<indexterm>
4167	<primary><command>chroot</command></primary>	4168	<primary><command>chroot</command></primary>
4168	</indexterm>	4169	</indexterm>
4169	<para>For added security you may want to run &man.named.8; in a	4170	<para>For added security you may want to run &man.named.8; as an
4170	sandbox. This will reduce the potential damage should it be	4171	unprivileged user, and configure it to &man.chroot.8; into a
4171	compromised. If you include a sandbox directory in its command	4172	sandbox directory. This makes everything outside of the sandbox
4172	line, named will &man.chroot.8;	4173	inaccessible to the <application>named</application> daemon. Should
4173	into that directory immediately upon finishing processing its	4174	<application>named</application> be compromised, this will help to
4174	command line. It is also a good idea to have named run as a	4175	reduce the damage that can be caused. By default, FreeBSD has a user
4175	non-privileged user in the sandbox. The default FreeBSD install	4176	and a group called <quote>bind</quote>, intended for this use.</para>
4176	contains a user bind with group bind. If we wanted the sandbox in	4177
4177	the <filename>/etc/namedb/sandbox</filename> directory the command	4178	<para><note>Various people would recommend that instead of configuring
4178	line for named would look like this:	4179	<application>named</application> to <command>chroot</command>, you
4179	</para>	4180	should run <application>named</application> inside a &man.jail.8;. This
4180	<screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf> </userinput></screen>	4181	section does not attempt to cover this situation.</note></para>
4181		4182
4182	<para>The following steps should be taken in order to	4183	<para>Since <application>named</application> will not be able to
4183	successfully run named in a sandbox. Throughout the following	4184	access anything outside of the sandbox (such as shared libraries,
4184	discussion we will assume the path to your sandbox is	4185	log sockets, etc.), there are a number of steps that need to be
4185	<filename>/etc/namedb/sandbox</filename>	4186	followed in order to allow <application>named</application> to
4186	</para>	4187	function correctly. In the following checklist, it is assumed
		4188	that the path to the sandbox is <filename>/etc/namedb</filename>
		4189	and that you have made no prior modifications to the contents of
		4190	this directory. Perform the following steps as root.</para>
4187		4191
4188	<itemizedlist>	4192	<itemizedlist>
4189	<listitem>	4193	<listitem>
4190	<para>Create the sandbox directory:	4194	<para>Create all directories that <application>named</application>
4191	<filename>/etc/namedb/sandbox</filename></para>	4195	expects to see:</para>
4192	</listitem>
4193	<listitem>
4194	<para>Create other necessary directories off of the sandbox
4195	directory: <filename>etc</filename> and
4196	<filename>var/run</filename></para>
4197	</listitem>
4198	<listitem>
4199	<para>copy <filename>/etc/localtime</filename> to
4200	<filename>sandbox/etc</filename>
4201	</para>
4202	</listitem>
4203	<listitem>
4204	<para>make bind:bind the owner of all files and directories in
4205	the sandbox:
4206	<screen>&prompt.root; <userinput>chown -R bind:bind /etc/namedb/sandbox</userinput> </screen>
4207	<screen>&prompt.root; <userinput>chmod -R 750 /etc/namedb/sandbox</userinput> </screen>
4208	</para>
4209	</listitem>
4210	</itemizedlist>
4211		4196
4212	<para>There are some issues you need to be aware of when running	4197	<screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
4213	named in a sandbox.</para>	4198	&prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
		4199	&prompt.root; <userinput>chown bind:bind slave var/*</userinput></screen><co id="chown-slave"></co>
4214		4200
4215	<itemizedlist>	4201	<calloutlist>
4216	<listitem>	4202	<callout arearefs="chown-slave">
4217	<para>Your &man.named.conf.5; file and all your zone files must	4203	<para><application>named</application> only needs write access to
4218	be in the sandbox	4204	these directories, so that is all we give it.</para>
4219	</para>	4205	</callout>
4220	</listitem>	4206	</calloutlist>
4221	<listitem>	4207	</listitem>
4222	<para><filename>sandbox/etc/localtime</filename> is needed	4208	<listitem>
4223	in order to have the correct time for your time zone in	4209	<para>Rearrange and create basic zone and configuration files:</para>
4224	log messages.</para>	4210	<screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co id="localtime"></co>
4225	</listitem>	4211	&prompt.root; <userinput>mv named.conf etc && ln -sf etc/named.conf</userinput>
4226	<listitem>	4212	&prompt.root; <userinput>mv named.root master</userinput>
4227	<para> &man.named.8; will write its process id to a file in	4213	<!-- I don't like this next bit -->
4228	<filename>sandbox/var/run</filename></para>	4214	&prompt.root; <userinput>sh make-localhost && mv localhost.rev master</userinput>
4229	</listitem>	4215	&prompt.root; <userinput>cat > named.localhost
4230	<listitem>	4216	$ORIGIN localhost.
4231	<para>The Unix socket used for communication by the &man.ndc.8;	4217	$TTL 6h
4232	utility will be created in	4218	@ IN SOA localhost. postmaster.localhost. (
4233	<filename>sandbox/var/run</filename></para>	4219	1 ; serial
4234	</listitem>	4220	3600 ; refresh
4235	<listitem>	4221	1800 ; retry
4236	<para>When using the &man.ndc.8; utility you need to specify the	4222	604800 ; expiration
4237	location of the Unix socket created in the sandbox, by	4223	3600 ) ; minimum
4238	&man.named.8;, by using the -c switch:	4224	IN NS localhost.
4239	<command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</command>	4225	IN A 127.0.0.1
4240	</para>	4226	^D</userinput></screen>
4241	</listitem>
4242	<listitem>
4243	<para>If you enable logging to file, the log files must be
4244	in the sandbox</para>
4245	</listitem>
4246	</itemizedlist>
4247		4227
4248	<para>&man.named.8; can be started in a sandbox properly, if the	4228	<calloutlist>
4249	following is in <filename>/etc/rc.conf</filename>:	4229	<callout arearefs="localtime">
4250	</para>	4230	<para>This allows <application>named</application> to log the
4251	<programlisting>named_flags="-u bind -g bind -t /etc/namedb/sandbox <path_to_named.conf>"</programlisting>	4231	correct time to &man.syslogd.8;</para>
4252	</sect2>	4232	</callout>
		4233	</calloutlist>
		4234	</listitem>
		4235	<listitem>
		4236	<para>Build a statically linked copy of
		4237	<application>named-xfer</application>, and copy it into the sandbox:</para>
4253		4238
4254	<sect2>	4239	<screen>&prompt.root; <userinput>cd /usr/src/lib/libisc && make clean all</userinput>
4255	<title>How to Use the Name Server</title>	4240	&prompt.root; <userinput>cd /usr/src/lib/libbind && make clean all</userinput>
		4241	&prompt.root; <userinput>cd /usr/src/libexec/named-xfer && make NOSHARED=yes all</userinput>
		4242	&prompt.root; <userinput>cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer</userinput></screen>
		4243	</listitem>
		4244	<listitem>
		4245	<para>Make a <devicename>dev/null</devicename> that
		4246	<application>named</application> can see and write to:</para>
4256		4247
4257	<para>If setup properly, the name server should be accessible through	4248	<screen>&prompt.root; <userinput>cd /etc/namedb/dev && mknod null c 2 2</userinput>
4258	the network and locally. <filename>/etc/resolv.conf</filename> must	4249	&prompt.root; <userinput>chmod 666 null</userinput></screen>
4259	contain a name server entry with the local IP address so it will query the	4250	</listitem>
4260	local name server first.	4251	<listitem>
4261	</para>	4252	<para>Symlink <filename> /var/run/ndc</filename> to
		4253	<filename>/etc/namedb/var/run/ndc</filename>:</para>
		4254
		4255	<screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>
		4256
		4257	<para><note>This simply avoids having to specify the <option>-c</option>
		4258	option to &man.ndc.8; every time you run it. If this is something
		4259	that you find useful, you may wish to add this entry to root's
		4260	crontab, making use of the <option>@reboot</option> option. See
		4261	&man.crontab.5; for more information regarding this.</note></para>
		4262	</listitem>
		4263	<listitem>
		4264	<para>Configure &man.syslogd.8; to create an extra <devicename>log</devicename>
		4265	socket that <application>named</application> can write to. To do
		4266	this, add <literal>-l /etc/namedb/dev/log</literal> to the
		4267	<variable>syslogd_flags</variable> variable in
		4268	<filename>/etc/rc.conf</filename>.</para>
		4269	</listitem>
		4270	<listitem>
		4271	<para>Arrange to have <application>named</application> start and
		4272	<command>chroot</command> itself to the sandbox by adding the following
		4273	to <filename>/etc/rc.conf</filename>:</para>
		4274	<programlisting>named_enable="YES"
		4275	named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
		4276
		4277	<para><note>Note that the configuration file
		4278	<replaceable>/etc/named.conf</replaceable> is denoted by a full
		4279	pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
		4280	the line above, the file referred to is actually
		4281	<filename>/etc/namedb/etc/named.conf</filename>/</note></para>
		4282	</listitem>
		4283	</itemizedlist>
		4284
		4285	<para>The next step is to edit <filename>/etc/namedb/etc/named.conf</filename>
		4286	so that <application>named</application> knows which zones to load and
		4287	where to find them on the disk. There follows a commented example
		4288	(anything not specifically commented here is no different from the
		4289	setup for a DNS server not running in a sandbox):</para>
		4290
		4291	<programlisting>options {
		4292	directory "/";<co id="directory"></co>
		4293	named-xfer "/bin/named-xfer";<co id="named-xfer"></co>
		4294	version ""; // Don't reveal BIND version
		4295	query-source address * port 53;
		4296	};
		4297	// ndc control socket
		4298	controls {
		4299	unix "/var/run/ndc" perm 0600 owner 0 group 0;
		4300	};
		4301	// Zones follow:
		4302	zone "localhost" IN {
		4303	type master;
		4304	file "master/named.localhost";<co id="master"></co>
		4305	allow-transfer { localhost; };
		4306	notify no;
		4307	};
		4308	zone "0.0.127.in-addr.arpa" IN {
		4309	type master;
		4310	file "master/named.loopback";
		4311	allow-transfer { localhost; };
		4312	notify no;
		4313	};
		4314	zone "." IN {
		4315	type hint;
		4316	file "master/named.root";
4317	};
4318	zone "private.example.net" in {
4319	type master;
4320	file "master/private.example.net.db";
4321	allow-transfer { 192.168.10.0/24; };
4322	};
4323	zone "10.168.192.in-addr.arpa" in {
4324	type slave;
4325	masters { 192.168.10.2; };
4326	file "slave/192.168.10.db";<co id="slave"></co>
4327	};</programlisting>
4328
4329	<calloutlist>
4330	<callout arearefs="directory"><para>The <literal>directory</literal>
4331	statement is specified as <filename>/</filename>, since all files
4332	that <application>named</application> needs are within this directory
4333	(recall that this is equivalent to a <quote>normal</quote> user's
4334	<filename>/etc/namedb</filename>.</para>
4335	</callout>
4336	<callout arearefs="named-xfer"><para>Specifies the full path to the
4337	<command>named-xfer</command> binary (from <application>named</application>'s
4338	frame of reference). This is necessary since <application>named</application>
4339	is compiled to look for <command>named-xfer</command> in
4340	<filename>/usr/libexec</filename> by default.</para>
4341	</callout>
4342	<callout arearefs="master"><para>Specifies the filename (relative
4343	to the <literal>directory</literal> statement above) where
4344	<application>named</application> can find the zonefile for this
4345	zone.</para>
4346	</callout>
4347	<callout arearefs="slave"><para>Specifies the filename (relative
4348	to the <literal>directory</literal> statement above) where
4349	<application>named</application> should write a copy of the
4350	zonefile for this zone after successfully transferring it from
4351	the master server. This is why we needed to change the ownership
4352	of the directory <filename>slave</filename> to <quote>bind</quote>
4353	in the setup stages above.</para>
4354	</callout>
4355	</calloutlist>
4356
4357	<para>After completing the steps above, either reboot your server or
4358	restart &man.syslogd.8 and start &man.named.8, making sure to use the
4359	new options specified in <variable>syslogd_flags</variable> and
4360	<variable>named_flags</variable>. You should now be running a sandboxed
4361	copy of <application>named</application>!</para>
4262		4362
4263	<para>
4264	To access it over the network, the machine must have the
4265	name server's IP address set properly in its own name server
4266	configuration options.
4267	</para>
4268	</sect2>	4363	</sect2>
4269		4364
4270	<sect2>	4365	<sect2>