From owner-cvs-all  Wed Dec 16 13:24:22 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA13888
          for cvs-all-outgoing; Wed, 16 Dec 1998 13:24:22 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from gw-nl3.philips.com (gw-nl3.philips.com [192.68.44.35])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA13879
          for <committers@FreeBSD.ORG>; Wed, 16 Dec 1998 13:24:19 -0800 (PST)
          (envelope-from Jos.Backus@nl.origin-it.com)
Received: from smtprelay-nl1.philips.com (localhost.philips.com [127.0.0.1])
          by gw-nl3.philips.com with ESMTP id WAA16760
          for <committers@FreeBSD.ORG>; Wed, 16 Dec 1998 22:24:10 +0100 (MET)
          (envelope-from Jos.Backus@nl.origin-it.com)
Received: from smtprelay-eur1.philips.com(130.139.36.3) by gw-nl3.philips.com via mwrap (4.0a)
	id xma016758; Wed, 16 Dec 98 22:24:11 +0100
Received: from dibbs1.eur.cis.philips.com (dibbs1.eur.cis.philips.com [130.139.33.66]) 
	by smtprelay-nl1.philips.com (8.8.5/8.6.10-1.2.2m-970826) with ESMTP id WAA09636
	for <committers@FreeBSD.ORG>; Wed, 16 Dec 1998 22:24:10 +0100 (MET)
Received: from hal.mpn.cp.philips.com (hal.mpn.cp.philips.com [130.139.64.195])
	by dibbs1.eur.cis.philips.com (8.8.8/8.8.8) with SMTP id WAA20842
	for <committers@FreeBSD.ORG>; Wed, 16 Dec 1998 22:24:10 +0100 (MET)
Received: (qmail 93675 invoked by uid 666); 16 Dec 1998 21:24:30 -0000
Date: Wed, 16 Dec 1998 22:24:30 +0100
From: Jos Backus <Jos.Backus@nl.origin-it.com>
To: committers@FreeBSD.ORG
Subject: Re: Bind sandbox bogosity
Message-ID: <19981216222430.A93098@hal.mpn.cp.philips.com>
Reply-To: Jos Backus <Jos.Backus@nl.origin-it.com>
References: <xzpvhjembb6.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <xzpvhjembb6.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Tue, Dec 15, 1998 at 02:41:17AM +0100
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Tue, Dec 15, 1998 at 02:41:17AM +0100, Dag-Erling Smorgrav wrote:
> Solution 1: don't run named as bind:bind (and consequently back out
>   revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of
>   src/etc/mtree/BSD.root.dist)
> 
> Solution 2: hack bind to temporarily regain privs when HUPed.

Solution 3: hack update_pid_file()/write_open() in ns_config.c to use
            ftruncate() instead of unlink() and subsequently
	    chown bind:bind /var/run/named.pid.

-- 
Jos Backus                          _/  _/_/_/    "Reliability means never
                                   _/  _/   _/     having to say you're sorry."
                                  _/  _/_/_/               -- D. J. Bernstein
                             _/  _/  _/    _/
Jos.Backus@nl.origin-it.com  _/_/   _/_/_/        use Std::Disclaimer;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message