Date: Fri, 12 Nov 1999 23:45:59 +0800 From: Peter Wemm <peter@netplex.com.au> To: Bill Fumerola <billf@chc-chimes.com> Cc: Brett Glass <brett@lariat.org>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112154559.DAC251C6D@overcee.netplex.com.au> In-Reply-To: Your message of "Fri, 12 Nov 1999 09:22:52 EST." <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Fumerola wrote: > On Thu, 11 Nov 1999, Brett Glass wrote: > > > I assume you mean rc.conf, not named.conf. > > > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > > that selects a sandboxed configuration and is on by default. > > Also, it'd be nice to have the user "named" already in /etc/passwd > > and ready to go. > > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin > > You mean like that in src/etc/master.passwd? *Beware* - do not do this if you have dyanmic interface configuration, eg if you run ppp[d] or anything. Bind depends on being able to bind to port 53 if the interface configuration changes. This is why it's not on by default. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112154559.DAC251C6D>