Date: Sat, 13 Nov 1999 19:44:38 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: David Gilbert <dgilbert@velocet.ca> Cc: security@FreeBSD.ORG Subject: Re: sandboxed bind. Message-ID: <199911140344.TAA32979@apollo.backplane.com> References: <bulk.47978.19991113192456@hub.freebsd.org> <14382.11991.536272.989358@trooper.velocet.net>
index | next in thread | previous in thread | raw e-mail
:I went through the motions to sandbox bind. My only real complaint
:was that named-xfer was dynamically loaded (greatly increasing the
:cruft that had to be in the sandbox).
:
:Is there an easy way to determine exactly what libraries are required
:by an executable, BTW?
:
:Dave.
:
:--
:============================================================================
:|David Gilbert, Velocet Communications. | Two things can only be |
'ldd programname'
Another thing you can do which works quite well is to simply ktrace
named when you start it up:
ktrace -i -t cn named....
Let it run for a while, including allowing it to fork/exec whahtever
programs it needs to fork/exec, and then do a 'ktrace -C' to turn off
the ktracing.
You can then do:
kdump -R | less
You can grep through the kdump output too to locate the files that
named opened, including libraries loaded and auxillary files opened
by clib and other libraries.
I don't use chrooted environments myself... I used to but they're just
too difficult to maintain across updates and other things. It would
be nice if there were something inbetween -- something that, for example,
disables suid and sgid within a set of processes that works in a manner
similar to a chroot'd environment. Without access to suid/sgid binaries
there is precious little a program run in a user/group sandbox can do
outside the sandbox.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911140344.TAA32979>