From owner-freebsd-stable Thu Feb 1 10:38:37 2001 Delivered-To: freebsd-stable@freebsd.org Received: from digital.csudsu.com (digital.csudsu.com [209.249.57.102]) by hub.freebsd.org (Postfix) with ESMTP id 3E28B37B4EC for ; Thu, 1 Feb 2001 10:38:20 -0800 (PST) Received: by digital.csudsu.com (Postfix, from userid 1000) id 648E922E01; Thu, 1 Feb 2001 10:40:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by digital.csudsu.com (Postfix) with ESMTP id 552141F001; Thu, 1 Feb 2001 10:40:12 -0800 (PST) Date: Thu, 1 Feb 2001 10:40:12 -0800 (PST) From: Stefan Molnar To: Dag-Erling Smorgrav Cc: Gordon Tetlow , Vivek Khera , Subject: Re: chrooting bind In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am not putting the entire kitchen sink in there. On 1 Feb 2001, Dag-Erling Smorgrav wrote: > Stefan Molnar writes: > > I see where you are coming from now. On this system I attempted > > to be more complete, basicly give it everything > > That totally defeats the point of running in a sandbox. > > > and attempt to > > depend on nothing outside the sandbox. > > The point is to have as little as possible inside the sandbox. You > need named-xfer if you have slave zones, but you do not need any other > binaries, you do not need any libraries (link named-xfer statically!) > and you certainly don't need any device nodes. > > ANYTHING YOU PUT IN THE SANDBOX WILL BE AVAILABLE TO INTRUDERS WHEN > THEY BREAK INTO YOUR SYSTEM. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message