Reviewed by: freebsd-current, freebsd-security

Adjust rc.conf to run named in sandbox, adjust mtree to add /etc/namedb/s subdirectory (user bind, group bind) to hold secondaries, adjust comments in named.conf to reflect new secondary scheme. (Note that core read-only zone files are left owned by root, increasing security even more).
svn path=/head/; revision=41442
1998-12-01 21:36:33 +00:00 · 1998-12-01 21:36:33 +00:00 · 128272b8c5 · 2020-12-20 02:59:44 +00:00
commit 128272b8c5
parent ac48aa416a
3 changed files with 12 additions and 6 deletions
--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@ -1,4 +1,4 @@
-#	$Id: BSD.root.dist,v 1.31 1998/09/30 22:27:27 jkh Exp $
+#	$Id: BSD.root.dist,v 1.32 1998/10/17 01:21:35 peter Exp $
 #

 /set type=dir uname=root gname=wheel mode=0755
@ -31,6 +31,8 @@
        mtree
        ..
        namedb
+		s	uname=bind gname=bind mode=0750
+		..
        ..
        ppp
        ..
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@ -1,4 +1,4 @@
-// $Id: named.conf,v 1.1 1998/05/07 23:42:33 ache Exp $
+// $Id: named.conf,v 1.2 1998/05/11 11:26:28 peter Exp $
 //
 // Refer to the named(8) man page for details.  If you are ever going
 // to setup a primary server, make sure you've understood the hairy
@ -77,11 +77,15 @@ zone "0.0.127.IN-ADDR.ARPA" {
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
+//
+// NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf).
+// The directory containing the secondary zones must be write accessible 
+// to bind.

 /*
 zone "domain.com" {
 	type slave;
-	file "domain.com.bak";
+	file "s/domain.com.bak";
 	masters {
 		192.168.1.1;
 	};
@ -89,7 +93,7 @@ zone "domain.com" {

 zone "0.168.192.in-addr.arpa" {
 	type slave;
-	file "0.168.192.in-addr.arpa.bak";
+	file "s/0.168.192.in-addr.arpa.bak";
 	masters {
 		192.168.1.1;
 	};
--- a/etc/rc.conf
+++ b/etc/rc.conf
@ -6,7 +6,7 @@
 #
 # All arguments must be in double or single quotes.
 #
-#	$Id: rc.conf,v 1.62 1998/11/15 20:30:04 msmith Exp $
+#	$Id: rc.conf,v 1.63 1998/11/25 21:16:43 msmith Exp $

 ##############################################################
 ### Important initial Boot-time options  #####################
@ -46,7 +46,7 @@ inetd_enable="YES"		# Run the network daemon dispatcher (or NO).
 inetd_flags=""			# Optional flags to inetd.
 named_enable="NO"		# Run named, the DNS server (or NO).
 named_program="named"		# path to named, if you want a different one.
-named_flags=""			# Flags for named (/etc/namedb/named.conf is
+named_flags="-u bind -g bind"	# Flags for named (/etc/namedb/named.conf is
 				# the default now).
 kerberos_server_enable="NO"	# Run a kerberos master server (or NO).
 kadmind_server_enable="NO"	# Run kadmind (or NO) -- do not run on