, <netbsd-help@netbsd.org>
From: Conrad T. Pino <NetBSD-Current@Pino.com>
List: netbsd-help
Date: 02/26/2004 11:39:34
Hi Roger,
> From: netbsd-help-owner@NetBSD.org On Behalf Of Roger Fischer
>
> I was looking back through the NetBSD 1.6.1 INSTALL document
> and I see under "Security Changes" that
> named
> ntpd
> sshd
> are supposed to be running in a chroot environment.
It works and I use it, see ps -axl:
14 102 1 0 2 0 2488 2696 select Ss ?? 0:32.35 /usr/sbin/named -u named -g named -t /var/chroot/named
15 163 1 0 18 -12 732 1592 pause S<s ?? 0:04.20 /usr/sbin/ntpd -u ntpd:ntpd -i /var/chroot/ntpd
more information follows.
> I see that the users and groups have been added, but under
> PS they are running as root.
Yes that's true for default configuration, see below.
> postfix
> is running under it's own user name though.
>
> Is there any configuration required to get these services running chrooted or is it supposed to be automatic?
Manual configuration required. Must setup chroot jail first and modify /etc/rc.conf second.
Comments from /etc/defaults/rc.conf:
# To run the named(8) DNS server as an unprivileged user under a
# chroot(2) cage, uncomment the following after migrating the contents
# of /etc/namedb to /var/chroot/named/etc/namedb
#
#named_chrootdir="/var/chroot/named"
# To run the ntpd(8) NTP server as an unprivileged user under a
# chroot(2) cage, uncomment the following, after ensuring that:
# - The kernel has "pseudo-device clockctl" compiled in
# - /dev/clockctl is present
#
#ntpd_chrootdir="/var/chroot/ntpd"
Don't edit /etc/defaults/rc.conf, rather add:
named_chrootdir="/var/chroot/named"
to /etc/rc.conf file which overrides defaults.
Best of luck,
Conrad