Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Aug 2001 13:11:01 -0400 (EDT)
From:      Mike Silbersack <silby@silby.com>
To:        Chris Dillon <cdillon@wolves.k12.mo.us>
Cc:        Brian Somers <brian@Awfulhak.org>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Jun Kuriyama <kuriyama@imgsrc.co.jp>, <cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org>, <brian@freebsd-services.com>
Subject:   Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf 
Message-ID:  <Pine.BSF.4.30.0108231307280.29579-100000@niwun.pair.com>
In-Reply-To: <Pine.BSF.4.32.0108231143390.75946-100000@mail.wolves.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, 23 Aug 2001, Chris Dillon wrote:

> Yes, true.  In -CURRENT this won't be a big deal.  In -STABLE it is
> probably good enough that we have a note in defaults/rc.conf that
> named can be run in a sandbox.  It doesn't really motivate one to do
> so, though.  Maybe instead of saying "it may be possible to run named
> in a sandbox" we could be a little more assertive and say "it would be
> a REALLY good idea if you ran named in a sandbox".

Well, the difference is this.

If the default behavior is changed, and an entry is added to UPDATING /
the release notes, a few modem users will be annoyed.  They will get over
it quickly.

If the default behavior is not changed, and another hole is found in BIND,
thousands of boxes will be easily rootable.  At this point in time, the
many users of BIND will not be really happy when the advisory says "We
told you to sandbox it in rc.conf!"

So, the question in my mind isn't whether this change will break modem
users; that's easy enough to fix and has a minimal impact.  The question
is:  will enabling sandboxing potentially break systems which act as
secondaries when they try to grab updated zones?  _That_ would be a
serious problem.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0108231307280.29579-100000>