Date: Thu, 11 Nov 1999 17:21:12 -0600 (CST) From: "Craig H. Rowland" <crowland@psionic.com> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: Why not sandbox BIND? Message-ID: <Pine.LNX.4.10.9911111715070.4354-100000@dolemite.psionic.com> In-Reply-To: <4.2.0.58.19991111160840.042469d0@localhost>
index | next in thread | previous in thread | raw e-mail
BIND 8.x allows one to chroot() it very easily. There are even built in command line options to facilitate this. I wrote a quick document up on how to do this for OpenBSD a while back. Since they now run BIND chroot()ed by default now it may be moot, but still contains useful information that apply directly to the FreeBSD platform. Such a simple precaution as running BIND in a chroot() area can really prevent a lot of problems if something goes wrong. I personally wouldn't run BIND without this protection. http://www.psionic.com/papers/dns/dns-openbsd/ -- Craig On Thu, 11 Nov 1999, Brett Glass wrote: > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the > CERT advisory would be moot. > > Should the same be done by default in FreeBSD? There's no reason for BIND > to be privileged. > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9911111715070.4354-100000>