From owner-freebsd-stable  Thu Feb  1  9:36:26 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id CC2D737B65D
	for <stable@FreeBSD.ORG>; Thu,  1 Feb 2001 09:36:04 -0800 (PST)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id SAA31558;
	Thu, 1 Feb 2001 18:35:51 +0100 (CET)
	(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Gordon Tetlow <gordont@bluemtn.net>
Cc: Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG>
Subject: Re: chrooting bind
References: <Pine.BSF.4.31.0102010924030.17707-100000@sdmail0.sd.bmarts.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 01 Feb 2001 18:35:51 +0100
In-Reply-To: Gordon Tetlow's message of "Thu, 1 Feb 2001 09:25:47 -0800 (PST)"
Message-ID: <xzpae86wbk8.fsf@flood.ping.uio.no>
Lines: 15
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Gordon Tetlow <gordont@bluemtn.net> writes:
> Correct me if I'm wrong, but this is only a sandbox (run as a different
> user) while this person wants to set up a true chroot environment.
> Personally, I think that the former is adequete as nothing else on the box
> is owned by the bind user.

Are you absolutely certain your box doesn't have a local root
vulnerability? For instance, are you running a recent -STABLE (which
is believed to be secure), or are you running e.g. 4.1.1-RELEASE
(which has an exploitable buffer overflow in the procfs code)? Run
BIND in a jail, or a chroot if you can't set up a jail.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message