From owner-freebsd-security Fri Nov 12 8:13:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id 551FC14F27 for ; Fri, 12 Nov 1999 08:13:26 -0800 (PST) (envelope-from Alain.Thivillon@hsc.fr) Received: by itesec.hsc.fr (Postfix) id A778810EC2; Fri, 12 Nov 1999 17:13:25 +0100 (CET) Received: by itesec.hsc.fr (Postfix) id A778810EC2; Fri, 12 Nov 1999 17:13:25 +0100 (CET) Date: Fri, 12 Nov 1999 17:08:35 +0100 From: Alain Thivillon To: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112170835.J352@yoko.hsc.fr> References: <19991112154559.DAC251C6D@overcee.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0pre2i In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au> X-Organization: Herve Schauer Consultants Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Wemm écrivait (wrote) : > *Beware* - do not do this if you have dyanmic interface configuration, eg > if you run ppp[d] or anything. Bind depends on being able to bind to port > 53 if the interface configuration changes. This is why it's not on by > default. You should also please note that the sandbox should be in same FS as /var/run/log if you want logging via syslog continue working. I use this : named_flags="-t /var/named -c /etc/named.conf" and : 78 [17:06] thivillo@yoko:/# ls -lR /var/named total 4 drwxr-xr-x 2 root wheel 512 Nov 12 16:43 etc/ drwxr-xr-x 4 root wheel 512 Nov 12 16:43 var/ /var/named/etc: total 4 -rw-r--r-- 1 root wheel 1927 Nov 12 16:43 named.conf /var/named/var: total 4 drwxr-xr-x 2 root wheel 512 Nov 12 16:42 named/ drwxr-xr-x 2 root wheel 512 Nov 12 17:05 run/ /var/named/var/named: total 640 [Zones] /var/named/var/run: total 2 srw-rw-rw- 2 root wheel 0 Nov 12 13:59 log= -rw-r--r-- 1 root wheel 5 Nov 12 17:05 named.pid srw------- 1 root wheel 0 Nov 12 17:05 ndc= /var/named/var/run/log is a hard link to /var/run/log Bind 8.2.2P3 is happy : Nov 12 16:05:28 yoko named[1595]: listening on [127.0.0.1].53 (lo0) Nov 12 16:05:28 yoko named[1595]: listening on [192.70.106.76].53 (ep0) Nov 12 16:05:28 yoko named[1595]: Forwarding source address is [0.0.0.0].1272 Nov 12 16:05:28 yoko named[1596]: chrooted to /var/named Nov 12 16:05:28 yoko named[1596]: Ready to answer queries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message