From owner-freebsd-security Thu Feb 1 9:15:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7092337B6A2 for ; Thu, 1 Feb 2001 09:15:25 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA31404; Thu, 1 Feb 2001 18:15:17 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: FengYue Cc: Rossen Raykov , freebsd-security@FreeBSD.ORG Subject: Re: Ronning named in chroot env References: From: Dag-Erling Smorgrav Date: 01 Feb 2001 18:15:16 +0100 In-Reply-To: FengYue's message of "Thu, 1 Feb 2001 09:02:55 -0800 (PST)" Message-ID: Lines: 22 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FengYue writes: > Actually, all I did was: > > named -t /etc/namedb -u bind -g bind named.conf > > that seems to work just fine. Only if your named.conf has 'directory "/";' in the options section, and you don't have any slave zones, and you're not interested in any log messages your name server produces. Come to think of it, the fact that named is now unable to log error messages is probably the reason why you think it works just fine :) > Just make sure /etc/namedb/s and files > under it are all owned by bind:bind. ...and for extra paranoia, make sure everything else in /etc/namedb is owned by root:wheel and not writable by anyone - maybe even schg. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message