From owner-freebsd-security  Thu Nov 11 21: 9:47 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 300DF14FED
	for <security@FreeBSD.ORG>; Thu, 11 Nov 1999 21:09:44 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA24221;
	Thu, 11 Nov 1999 22:09:19 -0700 (MST)
Message-Id: <4.2.0.58.19991111220759.044f46d0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Thu, 11 Nov 1999 22:09:33 -0700
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Brett Glass <brett@lariat.org>
Subject: Re: Why not sandbox BIND? 
Cc: security@FreeBSD.ORG
In-Reply-To: <199911112346.PAA65881@cwsys.cwsent.com>
References: <Your message of "Thu, 11 Nov 1999 16:10:53 MST." <4.2.0.58.19991111160840.042469d0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I assume you mean rc.conf, not named.conf.

In any case, maybe there should be a "sandbox BIND" flag in rc.conf
that selects a sandboxed configuration and is on by default.
Also, it'd be nice to have the user "named" already in /etc/passwd
and ready to go.

--Brett

At 03:46 PM 11/11/1999 -0800, Cy Schubert - ITSD Open Systems Group wrote:
>In message <4.2.0.58.19991111160840.042469d0@localhost>, Brett Glass writes:
> > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the 
> > CERT advisory would be moot.
> > 
> > Should the same be done by default in FreeBSD? There's no reason for BIND 
> > to be privileged.
>
>Just put something like the following in named.conf. 
>
>named_flags="-c /usr/local/etc/namedb/named.conf -u named -g named -t /var/named"
>
>
>Regards,                       Phone:  (250)387-8437
>Cy Schubert                      Fax:  (250)387-5766
>Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
>ITSD                                   Cy.Schubert@gems8.gov.bc.ca
>Province of BC
>                       "e**(i*pi)+1=0"
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message