From owner-freebsd-security  Sun Jul 25 15:51:16 1999
Delivered-To: freebsd-security@freebsd.org
Received: from snafu.adept.org (adsl-63-193-112-19.dsl.snfc21.pacbell.net [63.193.112.19])
	by hub.freebsd.org (Postfix) with ESMTP id B510314D12
	for <security@FreeBSD.ORG>; Sun, 25 Jul 1999 15:51:14 -0700 (PDT)
	(envelope-from mike@snafu.adept.org)
Received: from localhost (mike@localhost)
	by snafu.adept.org (8.9.3/8.9.3) with ESMTP id PAA24713;
	Sun, 25 Jul 1999 15:50:49 -0700 (PDT)
Date: Sun, 25 Jul 1999 15:50:49 -0700 (PDT)
From: Mike Hoskins <mike@snafu.adept.org>
To: Sue Blake <sue@welearn.com.au>
Cc: security@FreeBSD.ORG
Subject: Re: sandbox??
In-Reply-To: <19990726065455.N7324@welearn.com.au>
Message-ID: <Pine.BSF.4.10.9907251539570.24644-100000@snafu.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 26 Jul 1999, Sue Blake wrote:

> without confusion. After some good feedback on sandboxes, it seems that
> the latter is the more appropriate, particularly in view of the
> concurrent scarcity of documentation for BIND 8.

I really don't understand all the confusion.  A quick search for
'BIND sandbox' turned up hits for me.

BIND 8, as well, is one of the most documented services in existence.  If
you prefer online documentation, there's ISC's numerous resources and a
plethora of mirrors (antisocial.net is one).  If you like hard copies, DNS
& BIND 3rd. Ed. is great for BIND 4.x and 8.x.

Re: BIND Sandbox, see http://www.psionic.com/papers/dns/dns-openbsd/ for a
general idea of what we're talking about, and how many of us were
implementing this before it was a default 'feature'.  I'm glad to finally
see it included.

I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great.
Rather than setting up a non-standard chroot() area I just kept
/etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774
/etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to
named.conf so named wouldn't need access to /var/run.

Mike Hoskins
<mike@adept.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message