From owner-cvs-all  Thu Aug 23 10:53:13 2001
Delivered-To: cvs-all@freebsd.org
Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2150037B408; Thu, 23 Aug 2001 10:53:07 -0700 (PDT)
	(envelope-from cdillon@wolves.k12.mo.us)
Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1])
	by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id MAA77626;
	Thu, 23 Aug 2001 12:52:52 -0500 (CDT)
	(envelope-from cdillon@wolves.k12.mo.us)
Date: Thu, 23 Aug 2001 12:52:51 -0500 (CDT)
From: Chris Dillon <cdillon@wolves.k12.mo.us>
To: Matt Dillon <dillon@earth.backplane.com>
Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>,
	Brian Somers <brian@Awfulhak.org>,
	Jun Kuriyama <kuriyama@FreeBSD.ORG>, <cvs-committers@FreeBSD.ORG>,
	<cvs-all@FreeBSD.ORG>, <brian@freebsd-services.com>
Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist
 src/etc/namedb named.conf
In-Reply-To: <200108231645.f7NGjYe86993@earth.backplane.com>
Message-ID: <Pine.BSF.4.32.0108231248590.77439-100000@mail.wolves.k12.mo.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Thu, 23 Aug 2001, Matt Dillon wrote:

>
>     I like the idea of, finally, invoking named in a sandbox.  I don't
>     understand why the pidfile location has to change, though.  named
>     creates its pidfile as root before it setuid's itself.
>
>     While it is true that named cannot rescan interfaces when operating
>     in this mode, this restriction has never been an impediment to anything
>     I've ever done with it.  Most dialup users don't run named, they simply
>     allow ppp to setup /etc/resolv.conf for them.  Those who do will be savvy
>     enough to add the appropriate override to /etc/rc.conf (or won't have to
>     if they don't bother to mergemaster the new default rc files).

Just thought of something... Correct me if I'm wrong, but named only
needs to bind to an interface that it will receive queries on, right?
How many cases (a handful?) will we have where the dynamic interface
that BIND will not be able to attach to in a sandbox is the one where
queries will be coming in on?  BIND can still make outgoing queries on
any interface wether it is bound to it or not, right?  I think that
would significantly lessen the number of people we think this is going
to affect.

--
 Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
 FreeBSD: The fastest and most stable server OS on the planet
 - Available for IA32 (Intel x86) and Alpha architectures
 - IA64, PowerPC, UltraSPARC, and ARM architectures under development
 - http://www.freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message