Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Feb 2001 11:57:37 -0500 (EST)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Will Andrews <will@physics.purdue.edu>
Cc:        Kris Kennaway <kris@obsecurity.org>, freebsd-bugs@FreeBSD.ORG
Subject:   Re: misc/24784: Why isn't bind always running as -u bind -g bind
Message-ID:  <Pine.NEB.3.96L.1010202115636.30423A-100000@fledge.watson.org>
In-Reply-To: <20010202074210.R479@puck.firepipe.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2 Feb 2001, Will Andrews wrote:

> On Fri, Feb 02, 2001 at 02:50:03AM -0800, Kris Kennaway wrote:
> >  Running it like this won't work for every system since named can't
> >  rebind to interfaces which change address or which are added after the
> >  program is started. However, it's something we're considering doing.
> 
> If it is done, it's probably good to keep the changes limited to
> 5.0-CURRENT; 4.x is too far along for a change like this.
> 
> But to actually speak in favor of the idea: it doesn't break default
> behavior other than the rebinding issue, and the average admin who
> enables BIND usually understands what kind of permissions BIND needs for
> what sort of things, and can recognize what limitations -ubind -gbind
> puts on the daemon.

It does change the behavior of ndc restart: you have to keep passing the
same -u/-g behavior into ndc each time you start or restart the daemon.
We should talk to the BIND people and find out if it's possible to move
that configuration information into named.conf.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010202115636.30423A-100000>