Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Nov 1999 11:46:54 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Barry Irwin <bvi@rucus.ru.ac.za>
Cc:        Josef Karthauser <joe@pavilion.net>, Brett Glass <brett@lariat.org>, Bill Fumerola <billf@chc-chimes.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG
Subject:   Re: Why not sandbox BIND?
Message-ID:  <199911121946.LAA24616@apollo.backplane.com>
References:  <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help 

:> > --Brett
:> 
:> You are _quite_ a way behind.  I believe that almost all of the 3.X releases
:> have had this ability.  (If you're running later mergemaster is your friend ;)
:
:3.2 System CVSup'd doesnt have it by default
:su-2.03# cat /etc/passwd | grep named
:su-2.03# uname -a
:FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21

    Try greping for 'bind', not 'named'.  And it would have to be a fresh
    install rather then an upgrade.  There is also a newly added 'bind' group.

    3.x also has the ability to sandbox comsat and ntalk and, in fact, this
    is the default now for these programs.  We can't do the same for bind
    because certain aspects of the program (such as rebinding for dynamic 
    interface changes) fail to operate properly in a sandboxed environment.

    -

    Speaking of default system configurations - what do people think about
    turning off the 'ftp' service in the default configuration?  I think
    its time has come.  'ftp' is the only major program left in inetd that
    is complex enough to still be relatively worrysome to me, and anyone
    who expects to be able to use it to get to machine X that they have just
    installed will also know how to turn on the service on machine X.

					-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911121946.LAA24616>