Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Nov 1999 00:01:36 -0800
From:      "kupek" <kupek@slipstreams.net>
To:        "Matthew Dillon" <dillon@apollo.backplane.com>
Cc:        <security@freebsd.org>
Subject:   Re: Why not sandbox BIND?
Message-ID:  <004d01bf2dad$55b6d1e0$0101a8c0@slipstreams.net>
References:  <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

True, BIND can't be sandbox'd by default. But as someone said earlier, it
should be pretty simple to add an option for rc.conf that will let people
sandbox bind, and a warning that they shouldn't do it with a dynamic IP..
true, its not necessary, but it would probably be helpful to at least a few
people.

----- Original Message -----
From: Matthew Dillon <dillon@apollo.backplane.com>
To: Barry Irwin <bvi@rucus.ru.ac.za>
Subject: Re: Why not sandbox BIND?



:> > --Brett
:>
:> You are _quite_ a way behind.  I believe that almost all of the 3.X
releases
:> have had this ability.  (If you're running later mergemaster is your
friend ;)
:
:3.2 System CVSup'd doesnt have it by default
:su-2.03# cat /etc/passwd | grep named
:su-2.03# uname -a
:FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21

    Try greping for 'bind', not 'named'.  And it would have to be a fresh
    install rather then an upgrade.  There is also a newly added 'bind'
group.

    3.x also has the ability to sandbox comsat and ntalk and, in fact, this
    is the default now for these programs.  We can't do the same for bind
    because certain aspects of the program (such as rebinding for dynamic
    interface changes) fail to operate properly in a sandboxed environment.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004d01bf2dad$55b6d1e0$0101a8c0>