From f312600f4d8581387c95708e3d151bf8e4da23fc Mon Sep 17 00:00:00 2001 From: dillon Date: Tue, 1 Dec 1998 21:36:33 +0000 Subject: Reviewed by: freebsd-current, freebsd-security Adjust rc.conf to run named in sandbox, adjust mtree to add /etc/namedb/s subdirectory (user bind, group bind) to hold secondaries, adjust comments in named.conf to reflect new secondary scheme. (Note that core read-only zone files are left owned by root, increasing security even more). --- etc/mtree/BSD.root.dist | 4 +++- etc/namedb/named.conf | 10 +++++++--- etc/rc.conf | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 0a2295f..1213036 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -1,4 +1,4 @@ -# $Id: BSD.root.dist,v 1.31 1998/09/30 22:27:27 jkh Exp $ +# $Id: BSD.root.dist,v 1.32 1998/10/17 01:21:35 peter Exp $ # /set type=dir uname=root gname=wheel mode=0755 @@ -31,6 +31,8 @@ mtree .. namedb + s uname=bind gname=bind mode=0750 + .. .. ppp .. diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf index 31bb075..6d86859 100644 --- a/etc/namedb/named.conf +++ b/etc/namedb/named.conf @@ -1,4 +1,4 @@ -// $Id: named.conf,v 1.1 1998/05/07 23:42:33 ache Exp $ +// $Id: named.conf,v 1.2 1998/05/11 11:26:28 peter Exp $ // // Refer to the named(8) man page for details. If you are ever going // to setup a primary server, make sure you've understood the hairy @@ -77,11 +77,15 @@ zone "0.0.127.IN-ADDR.ARPA" { // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. +// +// NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf). +// The directory containing the secondary zones must be write accessible +// to bind. /* zone "domain.com" { type slave; - file "domain.com.bak"; + file "s/domain.com.bak"; masters { 192.168.1.1; }; @@ -89,7 +93,7 @@ zone "domain.com" { zone "0.168.192.in-addr.arpa" { type slave; - file "0.168.192.in-addr.arpa.bak"; + file "s/0.168.192.in-addr.arpa.bak"; masters { 192.168.1.1; }; diff --git a/etc/rc.conf b/etc/rc.conf index 30bdc56..cd0a4cb 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -6,7 +6,7 @@ # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.62 1998/11/15 20:30:04 msmith Exp $ +# $Id: rc.conf,v 1.63 1998/11/25 21:16:43 msmith Exp $ ############################################################## ### Important initial Boot-time options ##################### @@ -46,7 +46,7 @@ inetd_enable="YES" # Run the network daemon dispatcher (or NO). inetd_flags="" # Optional flags to inetd. named_enable="NO" # Run named, the DNS server (or NO). named_program="named" # path to named, if you want a different one. -named_flags="" # Flags for named (/etc/namedb/named.conf is +named_flags="-u bind -g bind" # Flags for named (/etc/namedb/named.conf is # the default now). kerberos_server_enable="NO" # Run a kerberos master server (or NO). kadmind_server_enable="NO" # Run kadmind (or NO) -- do not run on -- cgit v1.1