From owner-freebsd-security  Mon Dec 21 07:11:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA02945
          for freebsd-security-outgoing; Mon, 21 Dec 1998 07:11:27 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02831;
          Mon, 21 Dec 1998 07:11:17 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id QAA11019;
	Mon, 21 Dec 1998 16:11:12 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id QAA14736;
	Mon, 21 Dec 1998 16:11:11 +0100 (MET)
Message-ID: <19981221161110.E14124@follo.net>
Date: Mon, 21 Dec 1998 16:11:10 +0100
From: Eivind Eklund <eivind@yes.no>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
        Matt Dillon <dillon@FreeBSD.ORG>
Cc: security@FreeBSD.ORG
Subject: Re: cvs commit: src/etc rc.conf
References: <199812190725.XAA05479@freefall.freebsd.org> <xzp67b5ft9e.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <xzp67b5ft9e.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Mon, Dec 21, 1998 at 03:45:49PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I'm moving this to freebsd-security.

On Mon, Dec 21, 1998 at 03:45:49PM +0100, Dag-Erling Smorgrav wrote:
> Matt Dillon <dillon@FreeBSD.ORG> writes:
> If named is run in the sandbox, it will have to be restarted every
> time an interface comes up after being down an hour or more - less if
> you lower interface-interval in /etc/namedb/named.conf, which you
> probably will if you run a caching nameserver on a box that has a
> dynamic IP address (e.g. a dialout gateway). It will also complain
> loudly every time it receives any of SIGHUP, SIGINT, SIGILL, SIGSYS or
> SIGTERM unless you perform the appropriate named.conf magic to move
> the pid and dump files to a directory writeable by bind:bind.
> 
> OBTW, the /etc/named/s/ hack is just that - a hack, and an ugly one at
> that.
> 
> You'll just have to come to terms with the fact that named needs
> privs.

... unless you do a series of small modifications.  It is not as if
rescanning the interfaces is a _large_ task, or one that couldn't be
done by a forked out half of named, decreasing the chance of a problem
spreading.

You'll just have to come to terms with the fact that you are not a
security person. ;-)

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message