From owner-freebsd-security  Fri Nov 12  7:46: 6 1999
Delivered-To: freebsd-security@freebsd.org
Received: from overcee.netplex.com.au (overcee.netplex.com.au [202.12.86.7])
	by hub.freebsd.org (Postfix) with ESMTP id 960FE14EFD
	for <security@FreeBSD.ORG>; Fri, 12 Nov 1999 07:46:00 -0800 (PST)
	(envelope-from peter@netplex.com.au)
Received: from netplex.com.au (localhost [127.0.0.1])
	by overcee.netplex.com.au (Postfix) with ESMTP
	id DAC251C6D; Fri, 12 Nov 1999 23:45:59 +0800 (WST)
	(envelope-from peter@netplex.com.au)
X-Mailer: exmh version 2.0.2 2/24/98
To: Bill Fumerola <billf@chc-chimes.com>
Cc: Brett Glass <brett@lariat.org>,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG
Subject: Re: Why not sandbox BIND? 
In-reply-to: Your message of "Fri, 12 Nov 1999 09:22:52 EST."
             <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com> 
Date: Fri, 12 Nov 1999 23:45:59 +0800
From: Peter Wemm <peter@netplex.com.au>
Message-Id: <19991112154559.DAC251C6D@overcee.netplex.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Bill Fumerola wrote:
> On Thu, 11 Nov 1999, Brett Glass wrote:
> 
> > I assume you mean rc.conf, not named.conf.
> > 
> > In any case, maybe there should be a "sandbox BIND" flag in rc.conf
> > that selects a sandboxed configuration and is on by default.
> > Also, it'd be nice to have the user "named" already in /etc/passwd
> > and ready to go.
> 
> bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
> 
> You mean like that in src/etc/master.passwd?

*Beware* - do not do this if you have dyanmic interface configuration, eg
if you run ppp[d] or anything.  Bind depends on being able to bind to port
53 if the interface configuration changes.  This is why it's not on by
default.

Cheers,
-Peter




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message