Date: Wed, 31 Jan 2001 15:25:20 -0800 (PST) From: David Wolfskill <dhw@whistle.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <200101312325.f0VNPKS00324@pau-amma.whistle.com> In-Reply-To: <20010131151531.I26076@fw.wintelcom.net>
index | next in thread | previous in thread | raw e-mail
>Date: Wed, 31 Jan 2001 15:15:31 -0800
>From: Alfred Perlstein <bright@wintelcom.net>
>> Quite a few people have been using the sandbox options in the
>> last year without any ill effects (I was the original author of
>> the feature). The only issue is that you cannot HUP named (it will
>> not be able to rebind its sockets), you can only restart it, and
>> you have to supply the proper options to ndc when restarting it
>> (-u bind -g bind). I usually restart it anyway (I don't trust the
>> named HUP code).
>> I think we can easily make it the default.
>If it breaks HUP, then not really. :)
janus# ps -axwwl|grep named
53 21965 1 0 2 0 2352 1176 select Is ?? 0:09.82 /usr/sbin/named -u bind -g bind
0 25313 289 2 -6 0 944 472 piperd S+ p0 0:00.01 grep named
janus# ndc reload
Reload initiated.
janus# uname -a
FreeBSD janus.catwhisker.org 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Wed Jan 24 07:08:56 PST 2001 root@bunrab.catwhisker.org:/usr/src/sys/compile/JANUS i386
janus#
(Note that uid "53" is that of "bind", not "root".)
Meanwhile, in /var/log/messages:
Jan 31 15:19:52 janus named[21965]: reloading nameserver
Jan 31 15:19:52 janus named[21965]: Ready to answer queries.
The other thing I did:
janus# ls -ld /var/run
drwxrwxrwt 2 root wheel 512 Jan 31 15:19 /var/run
janus# !!/named*
ls -ld /var/run/named*
-rw-r--r-- 1 bind bind 6 Jan 31 15:19 /var/run/named.pid
janus#
(The machine does not have "general logins" at all.)
>I'm not sure how bind handles restarts, but even if it exec(2)s over
>itself it can track the fd open for its socket and shouldn't have to
>rebind it.
Seems to work for me.
Note I'm not trying to use the chroot() environment, nor a jail; just a
little sandbox. (Oh, yeah: I set up /var/named as the durectory for
BIND to play with, because I have / & /sur mounted read-only.)
Cheers,
david
--
David Wolfskill dhw@whistle.com UNIX System Administrator
Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101312325.f0VNPKS00324>