Date: Wed, 31 Jan 2001 15:25:20 -0800 (PST) From: David Wolfskill <dhw@whistle.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <200101312325.f0VNPKS00324@pau-amma.whistle.com> In-Reply-To: <20010131151531.I26076@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Wed, 31 Jan 2001 15:15:31 -0800 >From: Alfred Perlstein <bright@wintelcom.net> >> Quite a few people have been using the sandbox options in the >> last year without any ill effects (I was the original author of >> the feature). The only issue is that you cannot HUP named (it will >> not be able to rebind its sockets), you can only restart it, and >> you have to supply the proper options to ndc when restarting it >> (-u bind -g bind). I usually restart it anyway (I don't trust the >> named HUP code). >> I think we can easily make it the default. >If it breaks HUP, then not really. :) janus# ps -axwwl|grep named 53 21965 1 0 2 0 2352 1176 select Is ?? 0:09.82 /usr/sbin/named -u bind -g bind 0 25313 289 2 -6 0 944 472 piperd S+ p0 0:00.01 grep named janus# ndc reload Reload initiated. janus# uname -a FreeBSD janus.catwhisker.org 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Wed Jan 24 07:08:56 PST 2001 root@bunrab.catwhisker.org:/usr/src/sys/compile/JANUS i386 janus# (Note that uid "53" is that of "bind", not "root".) Meanwhile, in /var/log/messages: Jan 31 15:19:52 janus named[21965]: reloading nameserver Jan 31 15:19:52 janus named[21965]: Ready to answer queries. The other thing I did: janus# ls -ld /var/run drwxrwxrwt 2 root wheel 512 Jan 31 15:19 /var/run janus# !!/named* ls -ld /var/run/named* -rw-r--r-- 1 bind bind 6 Jan 31 15:19 /var/run/named.pid janus# (The machine does not have "general logins" at all.) >I'm not sure how bind handles restarts, but even if it exec(2)s over >itself it can track the fd open for its socket and shouldn't have to >rebind it. Seems to work for me. Note I'm not trying to use the chroot() environment, nor a jail; just a little sandbox. (Oh, yeah: I set up /var/named as the durectory for BIND to play with, because I have / & /sur mounted read-only.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101312325.f0VNPKS00324>