[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: BIND 9 questions
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: BIND 9 questions
- From: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>
- Date: Thu, 3 Jul 2003 16:06:34 -0400
- Mail-followup-to: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>, misc_(_at_)_openbsd_(_dot_)_org
Another option is to create a /JAIL partition for chrooted
things. Bad to do in stock OpenBSD (you can presume there
will be a var, and even a var partition, but not a non-standard
partition like /JAIL).
I use /JAIL to keep chrooted binaries and such, it's mounted
WITH dev allowed, but it's mounted readonly.
/JAIL/named/namedb/ is a loopback that contains the zones.
On a secondary only appliance, it's an MFS
that's seeded on boot from an RO partition.
/JAIL/named/etc/ is part of /JAIL/ and contains keys,
config files etc.
Are you expecting a lot of CH and HS queries that must be stopped?
Quoting Mark D Robinson (mrobinso_(_at_)_fpkc_(_dot_)_com):
> > /var is mount'ed nodev by default ( mount | grep /var ) ...
> Ah, I did not know that. Thanks, I'll have to remember that. I'll just use the file then.
> > Well, you just said named is chrooted by default to /var/named. So you
> > will need to chop that to 'file "named.log";'.
I don't recall if it does openlog before or after the chroot...
> Using 'file "named.log"' yields the same "permission denied" as 'file "/named
.log"', which makes sense, I think. Anyway, I guess I was confused by the fact
that file "/var/named/named.log" gave me a "file not found" error, but now I'm
realizing that it was unable to find /var/named relative to the chroot as oppos
ed to the actual named.log file itself (which should be created when not found)
> I didn't want to change the default permissions on the /var/named directory i
tself, so I created a /var/named/log directory with write permissions for the n
amed group and that seems to do the trick.