From owner-freebsd-security Fri Nov 12 8:24:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 00F8A14FD1 for ; Fri, 12 Nov 1999 08:24:40 -0800 (PST) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id RAA06852; Fri, 12 Nov 1999 17:24:38 +0100 (MET) Received: by bofh.enst.fr (Postfix, from userid 12426) id 167A0D226; Fri, 12 Nov 1999 17:24:38 +0100 (CET) Message-ID: <19991112172438.A57962@enst.fr> Date: Fri, 12 Nov 1999 17:24:38 +0100 From: Pierre Beyssac To: Alain Thivillon , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? References: <19991112154559.DAC251C6D@overcee.netplex.com.au> <19991112170835.J352@yoko.hsc.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19991112170835.J352@yoko.hsc.fr>; from Alain Thivillon on Fri, Nov 12, 1999 at 05:08:35PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 05:08:35PM +0100, Alain Thivillon wrote: > > if you run ppp[d] or anything. Bind depends on being able to bind to port > > 53 if the interface configuration changes. This is why it's not on by > > default. > > You should also please note that the sandbox should be in same FS as > /var/run/log if you want logging via syslog continue working. You don't need this. /var/run/log can be a symbolic link to /chroot/var/run/log, then you start sysglod with option -p /chroot/var/run/log. The only gotcha is that you need to cleanup /chroot/var/run/ at startup or syslogd won't start. That's what I use on ns.eu.org but it took me some time for figure it out... Even better, you can use syslogd's -l option to create as many /chroot/dev/log as you need for chrooted environements, as explained by Craig Rowland in his paper. Then you don't need any symbolic or hard link stuff. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message