Site Navigation

Date:      Wed, 31 Jan 2001 15:25:20 -0800 (PST)
From:      David Wolfskill <dhw@whistle.com>
To:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind
Message-ID:  <200101312325.f0VNPKS00324@pau-amma.whistle.com>
In-Reply-To: <20010131151531.I26076@fw.wintelcom.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

>Date: Wed, 31 Jan 2001 15:15:31 -0800
>From: Alfred Perlstein <bright@wintelcom.net>

>>     Quite a few people have been using the sandbox options in the
>>     last year without any ill effects (I was the original author of
>>     the feature).  The only issue is that you cannot HUP named (it will
>>     not be able to rebind its sockets), you can only restart it, and
>>     you have to supply the proper options to ndc when restarting it
>>     (-u bind -g bind).  I usually restart it anyway (I don't trust the
>>     named HUP code).

>>     I think we can easily make it the default.

>If it breaks HUP, then not really. :)

janus# ps -axwwl|grep named
   53 21965     1   0   2  0  2352 1176 select Is    ??    0:09.82 /usr/sbin/named -u bind -g bind
    0 25313   289   2  -6  0   944  472 piperd S+    p0    0:00.01 grep named
janus# ndc reload
Reload initiated.
janus# uname -a
FreeBSD janus.catwhisker.org 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Wed Jan 24 07:08:56 PST 2001     root@bunrab.catwhisker.org:/usr/src/sys/compile/JANUS  i386
janus# 

(Note that uid "53" is that of "bind", not "root".)

Meanwhile, in /var/log/messages:

Jan 31 15:19:52 janus named[21965]: reloading nameserver
Jan 31 15:19:52 janus named[21965]: Ready to answer queries.

The other thing I did:

janus# ls -ld /var/run
drwxrwxrwt  2 root  wheel  512 Jan 31 15:19 /var/run
janus# !!/named*
ls -ld /var/run/named*
-rw-r--r--  1 bind  bind  6 Jan 31 15:19 /var/run/named.pid
janus# 

(The machine does not have "general logins" at all.)


>I'm not sure how bind handles restarts, but even if it exec(2)s over
>itself it can track the fd open for its socket and shouldn't have to
>rebind it.

Seems to work for me.

Note I'm not trying to use the chroot() environment, nor a jail; just a
little sandbox.  (Oh, yeah:  I set up /var/named as the durectory for
BIND to play with, because I have / & /sur mounted read-only.)

Cheers,
david
-- 
David Wolfskill      dhw@whistle.com   UNIX System Administrator
Desk: 650/577-7158   TIE: 8/499-7158   Cell: 650/759-0823


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101312325.f0VNPKS00324>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact