From owner-freebsd-security  Sat Nov 13  0: 0: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from slipstreams.net (slipstreams.net [208.45.226.107])
	by hub.freebsd.org (Postfix) with ESMTP id 1741914E29
	for <security@freebsd.org>; Sat, 13 Nov 1999 00:00:06 -0800 (PST)
	(envelope-from kupek@slipstreams.net)
Received: from PIII (arcane.slipstreams.net [192.168.1.1])
	by slipstreams.net (8.9.3/8.9.3) with SMTP id XAA25185;
	Fri, 12 Nov 1999 23:54:32 -0800 (PST)
	(envelope-from kupek@slipstreams.net)
Message-ID: <004d01bf2dad$55b6d1e0$0101a8c0@slipstreams.net>
From: "kupek" <kupek@slipstreams.net>
To: "Matthew Dillon" <dillon@apollo.backplane.com>
Cc: <security@freebsd.org>
References: <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com>
Subject: Re: Why not sandbox BIND?
Date: Sat, 13 Nov 1999 00:01:36 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

True, BIND can't be sandbox'd by default. But as someone said earlier, it
should be pretty simple to add an option for rc.conf that will let people
sandbox bind, and a warning that they shouldn't do it with a dynamic IP..
true, its not necessary, but it would probably be helpful to at least a few
people.

----- Original Message -----
From: Matthew Dillon <dillon@apollo.backplane.com>
To: Barry Irwin <bvi@rucus.ru.ac.za>
Subject: Re: Why not sandbox BIND?



:> > --Brett
:>
:> You are _quite_ a way behind.  I believe that almost all of the 3.X
releases
:> have had this ability.  (If you're running later mergemaster is your
friend ;)
:
:3.2 System CVSup'd doesnt have it by default
:su-2.03# cat /etc/passwd | grep named
:su-2.03# uname -a
:FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21

    Try greping for 'bind', not 'named'.  And it would have to be a fresh
    install rather then an upgrade.  There is also a newly added 'bind'
group.

    3.x also has the ability to sandbox comsat and ntalk and, in fact, this
    is the default now for these programs.  We can't do the same for bind
    because certain aspects of the program (such as rebinding for dynamic
    interface changes) fail to operate properly in a sandboxed environment.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message