From owner-freebsd-questions Sun Sep 5 21:28:45 1999 Delivered-To: freebsd-questions@freebsd.org Received: from nhj.nlc.net.au (nhj.nlc.net.au [203.24.133.1]) by hub.freebsd.org (Postfix) with SMTP id 88C7814F6F for ; Sun, 5 Sep 1999 21:28:40 -0700 (PDT) (envelope-from john.saunders@nlc.net.au) Received: (qmail 24880 invoked by uid 1000); 6 Sep 1999 14:27:48 +1000 Date: 6 Sep 1999 14:27:48 +1000 Message-ID: <19990906042748.24879.qmail@nhj.nlc.net.au> From: "John Saunders" To: freebsd-questions@FreeBSD.org Subject: Re: bind sandboxes? X-Newsgroups: nlc.lists.freebsd-questions In-Reply-To: User-Agent: tin/pre-1.4-980818 ("Laura") (UNIX) (Linux/2.0.37 (i686)) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The provided information doesn't go into enough detail so you will probably need to research the book to make things work right. At the moment an "ndc reload" isn't able to properly create the named.pid file. Last time I tried this there was some problem with an ioctl() to list the interfaces, but this doesn't seem to happen anymore. But basically look at /etc/defaults/rc.conf for the named_flags that specify the -u and -g options. And look at /etc/namedb/named.conf for how to create the "s" directory and give it the correct permissions. In freebsd-questions you wrote: > Additionally youll want to set up your named.conf to point to a directory > owned by user bind for loging, pid & configs... See O'Reily & Assoc DNS & > bind for a great explenation. > On Fri, 3 Sep 1999, Anand Buddhdev wrote: >> On Fri, Sep 03, 1999 at 10:38:43AM +0200, Dan Larsson wrote: >> >> A sandbox is a concept. A program running in a sandbox is running with >> less privileges, instead of running as root. This aids in enhancing >> security, because a compromise in that program does not leave the >> machine vulnerable to root break-in. In your case, you'd be running bind >> as user bind, instead of as root. You have to change the flags in >> /etc/rc.conf to make named run with the -u and -g options. See the man >> page for named for more info. >> >> > Does FreeBSD insinuate that I need a bucket and shovel with serious >> > time spent in a sandbox before I configure bind? I'd like to have the sandbox >> > theory regarding bind explained, please. >> > >> > Regards >> > ---- >> > Dan Larsson ( mailto:dan@junglenote.com ) -- +------------------------------------------------------------+ . | John Saunders - mailto:john@nlc.net.au (EMail) | ,--_|\ | - http://www.nlc.net.au/ (WWW) | / Oz \ | - 02-9489-4932 or 04-1822-3814 (Phone) | \_,--\_/ | NORTHLINK COMMUNICATIONS P/L - Supplying a professional, | v | and above all friendly, internet connection service. | +------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message