Bug 27024

Summary: [PATCH] DNS section of handbook doesn't contain section on sandboxing named
Product: Documentation Reporter: mikem <mike_makonnen>
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description mikem 2001-05-02 07:50:00 UTC 
	The DNS section of the handbook does not contain an explanation on
	how to run named in a sandbox. Actually, I don't think it's documented anywhere.

Fix: I wrote down the things that would have helped me as I setup my nameserver
	in a sandbox and added them to my local copy of the docs. Here's the diffs.



+ <sect2 id="named-sandbox">
+    <title>Running named in a Sandbox</title>
+
+       <para>For added security you may want to run &man.named.8; in a sandox.
This
+         will reduce the potential damage should it be compromised. If you
+         include a sandbox directory in its command line, named will &man.chroo
t.8;
+         into that directory immediately upon finishing processing its
+         command line. It is also a good idea to have named run as a
+         non-priveledged user in the sandbox. The default FreeBSD install
+         contains a user bind with group bind. If we wanted the sandbox in
+         the <filename>/etc/namedb/sanbox</filename> directory the command line

+         for named would look like this:</para>
+         <screen> &prompt.root; <userinput>/usr/sbin/named -u bind -g bind -t /
etc/namedb/sandbox &lt;path_to_named.conf> </userinput>
+         </screen>
+
+       <para>The following steps should be taken in order to successfully
+         run named in a sandbox. Throughout  the following discussion we will a
ssume
+         the path to your sandbox is <filename>/etc/namedb/sandox</filename></p
ara>
+
+       <itemizedlist>
+         <listitem>
+            <para>Create the sandbox directory: <filename>/etc/namedb/sandbox</
filename></para>
+         </listitem>
+         <listitem>
+         <para>Create other necessary directories off of the the sandbox
+            directory: <filename>etc</filename> and <filename>var/run</filename--X0udKZoilI4aoLePLM4kC6BjDCbAmohpliIHLy8CZsIdoWaM
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

*** chapter.sgml.original       Mon Apr 30 20:52:36 2001
--- chapter.sgml        Tue May  1 23:27:46 2001
***************
*** 3318,3323 ****
--- 3318,3395 ----
    </para>
  </sect2>
How-To-Repeat: 	goto http://www.freebsd.org/handbook/dns.html
Comment 1 Murray Stokely freebsd_committer freebsd_triage 2001-05-09 02:19:29 UTC 
State Changed
From-To: open->closed

Committed, thanks!