From owner-freebsd-security  Mon Aug 23 13:12:53 1999
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 408A81505E
	for <freebsd-security@FreeBSD.ORG>; Mon, 23 Aug 1999 13:12:45 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA11141;
	Mon, 23 Aug 1999 22:08:18 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: "Jan B. Koum " <jkb@best.com>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Nate Williams <nate@mt.sri.com>, freebsd-security@FreeBSD.ORG
Subject: Re: IPFW/DNS rules 
In-reply-to: Your message of "Mon, 23 Aug 1999 13:01:16 PDT."
             <19990823130116.B1797@best.com> 
Date: Mon, 23 Aug 1999 22:08:18 +0200
Message-ID: <11139.935438898@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <19990823130116.B1797@best.com>, "Jan B. Koum " writes:

>One can also run named in chroot() environment and as non-root user. In
>fact, this is exactly what we are doing where I work:
>
>85-jkb(nautilus)% ssh dns1.corp ps ax | grep named
>  106  ??  Ss     0:30.01 syslogd -s -l /var/named/dev/log
>27897  ??  Ss   1047:54.55 /var/named/named -u bind -g bind -t /var/named

Even better yet:  Run it in a jail with it's own IP number...

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message