From owner-freebsd-security Thu Nov 11 22:13:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from vampire.gothic.net.au (vampire.gothic.net.au [202.182.72.18]) by hub.freebsd.org (Postfix) with ESMTP id 92DA914D6E for ; Thu, 11 Nov 1999 22:13:38 -0800 (PST) (envelope-from sean@gothic.net.au) Received: by vampire.gothic.net.au (Postfix, from userid 1000) id D3865A829; Fri, 12 Nov 1999 17:13:36 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by vampire.gothic.net.au (Postfix) with ESMTP id A9AA4380A; Fri, 12 Nov 1999 17:13:36 +1100 (EST) Date: Fri, 12 Nov 1999 17:13:36 +1100 (EST) From: Sean Winn To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <4.2.0.58.19991111220759.044f46d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Brett Glass wrote: > I assume you mean rc.conf, not named.conf. > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > that selects a sandboxed configuration and is on by default. > Also, it'd be nice to have the user "named" already in /etc/passwd > and ready to go. As in the existing... bind:*:53:53:Bind Sandbox:/:/sbin/nologin In /etc/defaults/rc.conf there's an example named_flags line... #named_flags="-u bind -g bind" # Flags for named -- Sean Winn email: sean@gothic.net.au All opinions valued at $0.02, and not subject to inflation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message