Date: Mon, 7 Jan 2002 19:25:43 +0500 From: "Haikal Saadh" <wyldephyre2@yahoo.com> To: <cjclark@alum.mit.edu>, "'Joe Abley'" <jabley@automagic.org> Cc: <stable@FreeBSD.ORG> Subject: RE: Chrooted bind out of the box Message-ID: <003301c19787$408e47d0$9dc801ca@warhawk> In-Reply-To: <20020106112345.B237@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, Jan 05, 2002 at 10:26:01PM -0500, Joe Abley wrote: > > On Sat, Jan 05, 2002 at 02:08:46PM -0800, Crist J. Clark wrote: > > > On Sat, Jan 05, 2002 at 11:26:00AM +0500, Haikal Saadh wrote: > > > > Is there a reason why bind is run as root by default and not > > > > bind.bind? And not chrooted? > > > > > > > > If I'm not mistaken almost everyone does this anyway, right? > > > > > > IIRC, the last time it was discussed, it was felt > changing this in > > > the middle of -STABLE would be too disruptive. Many working BIND > > > installations would break when people updated. > > > > Why not create a named_chroot variable in defaults/rc.conf > which is by > > default set to NO, but which sysinstall can override in > /etc/rc.conf > > with a YES for fresh (non-upgrade) installs? > > /etc/defaults/rc.conf are the defaults. Not everyone makes a > new system with sysinstall(8), and having sysinstall(8) put > new and unexpected things in rc.conf is in itself a POLA vilolation. > > I was talking more about running named(8) as bind:bind. > Chrooting has other issues, you need to actually build a > chroot environment somewhere and decide what to put in it, > and you still need to run as bind:bind for chrooting to be > much of a security measure. > > Running named(8) as bind:bind by default is easiest done by > changing the named_bind flags. As I said, changing the > default would break stuff, but if you look at > /etc/defaults/rc.conf in -STABLE, > > named_flags="" # Flags for named > #named_flags="-u bind -g bind" # Flags for named Yup, that how I'm doing, it, and not to mention chown bind.bind everything in /etc/named/ > > So the hint is already there. And if you look at -CURRENT, > > named_flags="-u bind -g bind" # Flags for named > > It already runs that way by default. > > But if you really want to be clever, you should run named(8) > in a jail(8). I'll push that onto my todo stack. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003301c19787$408e47d0$9dc801ca>