From owner-freebsd-security Sun Jul 25 15:51:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-193-112-19.dsl.snfc21.pacbell.net [63.193.112.19]) by hub.freebsd.org (Postfix) with ESMTP id B510314D12 for ; Sun, 25 Jul 1999 15:51:14 -0700 (PDT) (envelope-from mike@snafu.adept.org) Received: from localhost (mike@localhost) by snafu.adept.org (8.9.3/8.9.3) with ESMTP id PAA24713; Sun, 25 Jul 1999 15:50:49 -0700 (PDT) Date: Sun, 25 Jul 1999 15:50:49 -0700 (PDT) From: Mike Hoskins To: Sue Blake Cc: security@FreeBSD.ORG Subject: Re: sandbox?? In-Reply-To: <19990726065455.N7324@welearn.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Jul 1999, Sue Blake wrote: > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. I really don't understand all the confusion. A quick search for 'BIND sandbox' turned up hits for me. BIND 8, as well, is one of the most documented services in existence. If you prefer online documentation, there's ISC's numerous resources and a plethora of mirrors (antisocial.net is one). If you like hard copies, DNS & BIND 3rd. Ed. is great for BIND 4.x and 8.x. Re: BIND Sandbox, see http://www.psionic.com/papers/dns/dns-openbsd/ for a general idea of what we're talking about, and how many of us were implementing this before it was a default 'feature'. I'm glad to finally see it included. I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great. Rather than setting up a non-standard chroot() area I just kept /etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774 /etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to named.conf so named wouldn't need access to /var/run. Mike Hoskins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message