Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Aug 2001 14:16:58 -0400
From:      "Brian F. Feldman" <green@FreeBSD.ORG>
To:        Matt Dillon <dillon@earth.backplane.com>
Cc:        "Brian F. Feldman" <green@FreeBSD.ORG>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Brian Somers <brian@Awfulhak.org>, Jun Kuriyama <kuriyama@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, brian@freebsd-services.com
Subject:   Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf 
Message-ID:  <200108231816.f7NIGxW14790@green.bikeshed.org>
In-Reply-To: Message from Matt Dillon <dillon@earth.backplane.com>  of "Thu, 23 Aug 2001 10:52:33 PDT." <200108231752.f7NHqXE88004@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Matt Dillon <dillon@earth.backplane.com> wrote:
> 
> :For what it's worth, here's how I configure named on the computers I run.  
> :Not that it's the best way, but it's definitely very reasonable for a 
> :default if nothing else.
> :
> :In rc.conf I use:
> :syslogd_flags="-s -l /etc/namedb/var/run/log"   # Flags to syslogd (if enabled).
> :named_flags="-u daemon -g daemon -t /etc/namedb -c named.conf"
> 
>     There is a pre-configured 'bind' user and 'bind' group available, you
>     should use those.  A program isn't running in a sandbox if it shares
>     its uid with other unrelated programs - like portmap (!) for example.

Compromising portmap on my home box would gain absolutely nothing, and 
portmap doesn't run on the other machines.  But generally, yes, I agree it 
should be in a separate group to itself.  I'm just lazy enough not to care 
when it practically makes no difference to my setups :)

>     There is a standard place for bind-modifiable files (a.k.a. secondary
>     files), /etc/namedb/s, and comments in the default named.conf describing
>     how to set it up.  There are comments in the default rc.conf describing
>     how to run named in a sandbox.
> 
>     The only thing I *didn't* do was turn the sandbox on by default and
>     turn on the creation of /etc/namedb/s in the mtree config.

Setting up logging for proper operation is pretty damn important, too.

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108231816.f7NIGxW14790>