Date: Mon, 26 Jul 1999 01:20:17 -0400 From: "E.L." <lluisma@osi-technologies.com> To: Sue Blake <sue@welearn.com.au> Cc: security@freebsd.org Subject: Re: sandbox?? Message-ID: <379BF011.6A7610B@osi-technologies.com> References: <19990726040233.E7349@welearn.com.au> <19990725214712.F14954@daemon.ninth-circle.org> <19990726065455.N7324@welearn.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
If you want an example, see openbsd 2.5(www.openbsd.org) where the default config for named uses this sandbox concept. EX Sue Blake wrote: > On Sun, Jul 25, 1999 at 09:47:12PM +0200, Jeroen Ruigrok/Asmodai wrote: > > [ Please direct all follow-ups to security@freebsd.org as the topic fits > > that list. Reply-To set ] > > > > * Sue Blake (sue@welearn.com.au) [990725 20:29]: > > > > > > On Mon, Jul 19, 1999 at 07:58:01AM -0400, T. William Wells wrote: > > > > In article <19990719212431.D300@welearn.com.au>, > > > > Sue Blake <sue@welearn.com.au> wrote: > > > > : Could someone tell me what is a sandbox, what does it do, how does it > > > > : work, how do I use it, or where is it documented? > > > > : named(8) and security(8) seem to assume one already knows. > > > > > > > > It's a generic term. It refers to a restricted environment in > > > > which something is to be done. Exactly how a sandbox is > > > > implemented depends on the specific application. > > > > > > If nobody understands how this sandbox thing works, we should change > > > the named.conf that we supply. If somebody does, then they or someone > > > who they teach (me if really necessary) needs to document it so that > > > anyone seriously interested can figure it out on thier own (or at least > > > accept the defaults with confidence), and then change at least the > > > named.conf to point to that info. It sounds like a good idea, worth > > > giving people the resources to use it. > > > > Basically one has to depict a sandbox like a, erhm, sandbox ;) > > > > It's a dug hole with raised low stone walls to keep kindergarten aged kids > > within the sandbox to play with the sand, etc. > > But ironically, in this case (named) we want to keep the FreeBSD "kids" > out of the sandbox until they are sure they know how to implement it :-) > > Either we need documentation (and/or pointers) for the background > theory and a guide to its actual implementation for named in FreeBSD to > encourage people to use it, or we need to disambiguate and discourage > its use in named.conf while providing non-sandbox examples for > secondaries in the new style config file that the "kids" can learn from > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. > > Thanks for the security explanation. A lot of people seem to be > interested in this but too afraid to ask :-) There must be a good book > that explains it all. Anyone know? It would almost be worth buying and > studying another book in order to be eligible to ask questions on how > to use the examples provided in the new named.conf :-) Better still, if > it can be condensed into something digestible by newbies I might try > writing a summary introduction with examples, recommending either for > or against its use by learners. > > -- > > Regards, > -*Sue*- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?379BF011.6A7610B>