diff options
| author | dillon <dillon@FreeBSD.org> | 1998-12-01 21:36:33 +0000 |
|---|---|---|
| committer | dillon <dillon@FreeBSD.org> | 1998-12-01 21:36:33 +0000 |
| commit | f312600f4d8581387c95708e3d151bf8e4da23fc (patch) | |
| tree | 5e9cd456902cd76b96517d08a43d60e536b417f2 | |
| parent | dd3c1b5f96ce015028c6fef05c18b7afab991229 (diff) | |
| download | FreeBSD-src-f312600f4d8581387c95708e3d151bf8e4da23fc.zip FreeBSD-src-f312600f4d8581387c95708e3d151bf8e4da23fc.tar.gz | |
Reviewed by: freebsd-current, freebsd-security
Adjust rc.conf to run named in sandbox, adjust mtree to add /etc/namedb/s
subdirectory (user bind, group bind) to hold secondaries, adjust
comments in named.conf to reflect new secondary scheme. (Note that
core read-only zone files are left owned by root, increasing security even
more).
| -rw-r--r-- | etc/mtree/BSD.root.dist | 4 | ||||
| -rw-r--r-- | etc/namedb/named.conf | 10 | ||||
| -rw-r--r-- | etc/rc.conf | 4 |
3 files changed, 12 insertions, 6 deletions
diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 0a2295f..1213036 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -1,4 +1,4 @@ -# $Id: BSD.root.dist,v 1.31 1998/09/30 22:27:27 jkh Exp $ +# $Id: BSD.root.dist,v 1.32 1998/10/17 01:21:35 peter Exp $ # /set type=dir uname=root gname=wheel mode=0755 @@ -31,6 +31,8 @@ mtree .. namedb + s uname=bind gname=bind mode=0750 + .. .. ppp .. diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf index 31bb075..6d86859 100644 --- a/etc/namedb/named.conf +++ b/etc/namedb/named.conf @@ -1,4 +1,4 @@ -// $Id: named.conf,v 1.1 1998/05/07 23:42:33 ache Exp $ +// $Id: named.conf,v 1.2 1998/05/11 11:26:28 peter Exp $ // // Refer to the named(8) man page for details. If you are ever going // to setup a primary server, make sure you've understood the hairy @@ -77,11 +77,15 @@ zone "0.0.127.IN-ADDR.ARPA" { // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. +// +// NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf). +// The directory containing the secondary zones must be write accessible +// to bind. /* zone "domain.com" { type slave; - file "domain.com.bak"; + file "s/domain.com.bak"; masters { 192.168.1.1; }; @@ -89,7 +93,7 @@ zone "domain.com" { zone "0.168.192.in-addr.arpa" { type slave; - file "0.168.192.in-addr.arpa.bak"; + file "s/0.168.192.in-addr.arpa.bak"; masters { 192.168.1.1; }; diff --git a/etc/rc.conf b/etc/rc.conf index 30bdc56..cd0a4cb 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -6,7 +6,7 @@ # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.62 1998/11/15 20:30:04 msmith Exp $ +# $Id: rc.conf,v 1.63 1998/11/25 21:16:43 msmith Exp $ ############################################################## ### Important initial Boot-time options ##################### @@ -46,7 +46,7 @@ inetd_enable="YES" # Run the network daemon dispatcher (or NO). inetd_flags="" # Optional flags to inetd. named_enable="NO" # Run named, the DNS server (or NO). named_program="named" # path to named, if you want a different one. -named_flags="" # Flags for named (/etc/namedb/named.conf is +named_flags="-u bind -g bind" # Flags for named (/etc/namedb/named.conf is # the default now). kerberos_server_enable="NO" # Run a kerberos master server (or NO). kadmind_server_enable="NO" # Run kadmind (or NO) -- do not run on |
