From owner-cvs-all  Thu Aug 23 11:17:17 2001
Delivered-To: cvs-all@freebsd.org
Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id BD79637B401; Thu, 23 Aug 2001 11:17:04 -0700 (PDT)
	(envelope-from green@green.bikeshed.org)
Received: from localhost (green@localhost)
	by green.bikeshed.org (8.11.4/8.11.1) with ESMTP id f7NIGxW14790;
	Thu, 23 Aug 2001 14:16:59 -0400 (EDT)
	(envelope-from green@green.bikeshed.org)
Message-Id: <200108231816.f7NIGxW14790@green.bikeshed.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Matt Dillon <dillon@earth.backplane.com>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>,
	"Andrey A. Chernov" <ache@nagual.pp.ru>,
	Brian Somers <brian@Awfulhak.org>,
	Jun Kuriyama <kuriyama@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG, brian@freebsd-services.com
Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf 
In-Reply-To: Message from Matt Dillon <dillon@earth.backplane.com> 
   of "Thu, 23 Aug 2001 10:52:33 PDT." <200108231752.f7NHqXE88004@earth.backplane.com> 
From: "Brian F. Feldman" <green@FreeBSD.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 23 Aug 2001 14:16:58 -0400
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

Matt Dillon <dillon@earth.backplane.com> wrote:
> 
> :For what it's worth, here's how I configure named on the computers I run.  
> :Not that it's the best way, but it's definitely very reasonable for a 
> :default if nothing else.
> :
> :In rc.conf I use:
> :syslogd_flags="-s -l /etc/namedb/var/run/log"   # Flags to syslogd (if enabled).
> :named_flags="-u daemon -g daemon -t /etc/namedb -c named.conf"
> 
>     There is a pre-configured 'bind' user and 'bind' group available, you
>     should use those.  A program isn't running in a sandbox if it shares
>     its uid with other unrelated programs - like portmap (!) for example.

Compromising portmap on my home box would gain absolutely nothing, and 
portmap doesn't run on the other machines.  But generally, yes, I agree it 
should be in a separate group to itself.  I'm just lazy enough not to care 
when it practically makes no difference to my setups :)

>     There is a standard place for bind-modifiable files (a.k.a. secondary
>     files), /etc/namedb/s, and comments in the default named.conf describing
>     how to set it up.  There are comments in the default rc.conf describing
>     how to run named in a sandbox.
> 
>     The only thing I *didn't* do was turn the sandbox on by default and
>     turn on the creation of /etc/namedb/s in the mtree config.

Setting up logging for proper operation is pretty damn important, too.

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message