From owner-freebsd-security Fri Feb 2 4:25:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mouse.gvr.org (madisongurkha6.iae.nl [212.61.21.69]) by hub.freebsd.org (Postfix) with ESMTP id CD9A237B4EC for ; Fri, 2 Feb 2001 04:25:23 -0800 (PST) Received: (from guido@localhost) by mouse.gvr.org (8.11.1/8.11.1) id f12CP4J08432; Fri, 2 Feb 2001 13:25:04 +0100 (CET) (envelope-from guido) Date: Fri, 2 Feb 2001 13:25:04 +0100 From: Guido van Rooij To: Matt Dillon Cc: Alfred Perlstein , Brian Behlendorf , Roman Shterenzon , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <20010202132503.A2065@eniac.mpn.cp.philips.com> References: <20010131140447.E26076@fw.wintelcom.net> <20010131145423.H26076@fw.wintelcom.net> <200101312305.f0VN5vJ19469@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101312305.f0VN5vJ19469@earth.backplane.com>; from dillon@earth.backplane.com on Wed, Jan 31, 2001 at 03:05:57PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 31, 2001 at 03:05:57PM -0800, Matt Dillon wrote: > Quite a few people have been using the sandbox options in the > last year without any ill effects (I was the original author of > the feature). The only issue is that you cannot HUP named (it will > not be able to rebind its sockets), you can only restart it, and > you have to supply the proper options to ndc when restarting it > (-u bind -g bind). I usually restart it anyway (I don't trust the > named HUP code). > IIRC you also should run syslogd such that named can log in the sandbox, e.g. with syslogd -l /sandbox/var/run/log -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message