Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Nov 1999 17:08:35 +0100
From:      Alain Thivillon <Alain.Thivillon@hsc.fr>
To:        security@FreeBSD.ORG
Subject:   Re: Why not sandbox BIND?
Message-ID:  <19991112170835.J352@yoko.hsc.fr>
In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au>
References:  <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com> <19991112154559.DAC251C6D@overcee.netplex.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
Peter Wemm <peter@netplex.com.au> écrivait (wrote) :

> *Beware* - do not do this if you have dyanmic interface configuration, eg
> if you run ppp[d] or anything.  Bind depends on being able to bind to port
> 53 if the interface configuration changes.  This is why it's not on by
> default.

You should also please note that the sandbox should be in same FS as
/var/run/log if you want logging via syslog continue working.

I use this : 

named_flags="-t /var/named -c /etc/named.conf"

and :

78 [17:06] thivillo@yoko:/# ls -lR /var/named
total 4
drwxr-xr-x  2 root  wheel  512 Nov 12 16:43 etc/
drwxr-xr-x  4 root  wheel  512 Nov 12 16:43 var/

/var/named/etc:
total 4
-rw-r--r--  1 root  wheel  1927 Nov 12 16:43 named.conf

/var/named/var:
total 4
drwxr-xr-x  2 root  wheel  512 Nov 12 16:42 named/
drwxr-xr-x  2 root  wheel  512 Nov 12 17:05 run/

/var/named/var/named:
total 640
[Zones]

/var/named/var/run:
total 2
srw-rw-rw-  2 root  wheel  0 Nov 12 13:59 log=
-rw-r--r--  1 root  wheel  5 Nov 12 17:05 named.pid
srw-------  1 root  wheel  0 Nov 12 17:05 ndc=

/var/named/var/run/log is a hard link to /var/run/log

Bind 8.2.2P3 is happy :

Nov 12 16:05:28 yoko named[1595]: listening on [127.0.0.1].53 (lo0)
Nov 12 16:05:28 yoko named[1595]: listening on [192.70.106.76].53 (ep0)
Nov 12 16:05:28 yoko named[1595]: Forwarding source address is [0.0.0.0].1272
Nov 12 16:05:28 yoko named[1596]: chrooted to /var/named
Nov 12 16:05:28 yoko named[1596]: Ready to answer queries.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112170835.J352>