Date: Mon, 21 Dec 1998 16:11:10 +0100 From: Eivind Eklund <eivind@yes.no> To: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Matt Dillon <dillon@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.conf Message-ID: <19981221161110.E14124@follo.net> In-Reply-To: <xzp67b5ft9e.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Mon, Dec 21, 1998 at 03:45:49PM %2B0100 References: <199812190725.XAA05479@freefall.freebsd.org> <xzp67b5ft9e.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm moving this to freebsd-security. On Mon, Dec 21, 1998 at 03:45:49PM +0100, Dag-Erling Smorgrav wrote: > Matt Dillon <dillon@FreeBSD.ORG> writes: > If named is run in the sandbox, it will have to be restarted every > time an interface comes up after being down an hour or more - less if > you lower interface-interval in /etc/namedb/named.conf, which you > probably will if you run a caching nameserver on a box that has a > dynamic IP address (e.g. a dialout gateway). It will also complain > loudly every time it receives any of SIGHUP, SIGINT, SIGILL, SIGSYS or > SIGTERM unless you perform the appropriate named.conf magic to move > the pid and dump files to a directory writeable by bind:bind. > > OBTW, the /etc/named/s/ hack is just that - a hack, and an ugly one at > that. > > You'll just have to come to terms with the fact that named needs > privs. ... unless you do a series of small modifications. It is not as if rescanning the interfaces is a _large_ task, or one that couldn't be done by a forked out half of named, decreasing the chance of a problem spreading. You'll just have to come to terms with the fact that you are not a security person. ;-) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981221161110.E14124>