From owner-cvs-all  Thu Aug 23  9:45:58 2001
Delivered-To: cvs-all@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP
	id F33A437B403; Thu, 23 Aug 2001 09:45:46 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.4/8.11.2) id f7NGjYe86993;
	Thu, 23 Aug 2001 09:45:34 -0700 (PDT)
	(envelope-from dillon)
Date: Thu, 23 Aug 2001 09:45:34 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200108231645.f7NGjYe86993@earth.backplane.com>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Brian Somers <brian@Awfulhak.org>,
	Jun Kuriyama <kuriyama@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG, brian@freebsd-services.com
Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf
References: <ache@nagual.pp.ru> <20010823174457.A27360@nagual.pp.ru> <200108231413.f7NEDvg71094@hak.lan.Awfulhak.org> <20010823185515.A28168@nagual.pp.ru>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


    I like the idea of, finally, invoking named in a sandbox.  I don't
    understand why the pidfile location has to change, though.  named
    creates its pidfile as root before it setuid's itself.

    While it is true that named cannot rescan interfaces when operating
    in this mode, this restriction has never been an impediment to anything
    I've ever done with it.  Most dialup users don't run named, they simply
    allow ppp to setup /etc/resolv.conf for them.  Those who do will be savvy
    enough to add the appropriate override to /etc/rc.conf (or won't have to
    if they don't bother to mergemaster the new default rc files).

    I know it isn't a perfect solution, but we *REALLY* need to secure 
    named this time around.  It is years past the time we should have done
    it.

						-Matt

:> > >   Invoke named with privilege of bind:bind.
:> > >   Change pidfile location to /var/run/named/pid.
:> > 
:> > Is it discussed or I miss something? We already have an option to run it
:> > in bind sandbox, but as non-default option. Some functions not works in
:> > bind sandbox, I don't remember exactly at this moment.
:> 
:> named won't be able to listen on interface addresses that are not 
:> configured when named is invoked.  This can break name services on a 
:> dialup server quite badly.
:
:Yes, exact this thing.
:
:> I think this change should be reverted.
:
:I too.
:If named allows root compromise, better fix named.
:
:-- 
:Andrey A. Chernov
:http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message