From owner-cvs-all  Mon Dec 21 06:45:58 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA00456
          for cvs-all-outgoing; Mon, 21 Dec 1998 06:45:58 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA00446;
          Mon, 21 Dec 1998 06:45:53 -0800 (PST)
          (envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.1/8.9.1) id PAA35483;
	Mon, 21 Dec 1998 15:45:50 +0100 (CET)
	(envelope-from des)
To: Matt Dillon <dillon@FreeBSD.ORG>
Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/etc rc.conf
References: <199812190725.XAA05479@freefall.freebsd.org>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 21 Dec 1998 15:45:49 +0100
In-Reply-To: Matt Dillon's message of "Fri, 18 Dec 1998 23:25:57 -0800 (PST)"
Message-ID: <xzp67b5ft9e.fsf@flood.ping.uio.no>
Lines: 31
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

Matt Dillon <dillon@FreeBSD.ORG> writes:
>   Log:
>       Take bind out of sandbox and run it as root again, but leave support
>       mechanisms ('bind' user and group) in place so the feature can be easily
>       turned on.  There were too many complaints.  The security(1) man
>       page will be created/updated to include the appropriate info.

Complaints? The naked truth is that it will not work in any but the
simplest setups, unless you add code to named to temporarily regain
privs before updating the pid file or rescanning interfaces. Doing so
will void any security the sandbox may give you, since it will make it
possible for hypothetical buffer overflow exploits to regain privs.

If named is run in the sandbox, it will have to be restarted every
time an interface comes up after being down an hour or more - less if
you lower interface-interval in /etc/namedb/named.conf, which you
probably will if you run a caching nameserver on a box that has a
dynamic IP address (e.g. a dialout gateway). It will also complain
loudly every time it receives any of SIGHUP, SIGINT, SIGILL, SIGSYS or
SIGTERM unless you perform the appropriate named.conf magic to move
the pid and dump files to a directory writeable by bind:bind.

OBTW, the /etc/named/s/ hack is just that - a hack, and an ugly one at
that.

You'll just have to come to terms with the fact that named needs
privs.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message