From owner-freebsd-current  Wed Dec 16 01:38:58 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA15940
          for freebsd-current-outgoing; Wed, 16 Dec 1998 01:38:58 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from uni-sb.de (uni-sb.de [134.96.252.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15924;
          Wed, 16 Dec 1998 01:38:50 -0800 (PST)
          (envelope-from rock@cs.uni-sb.de)
Received: from cs.uni-sb.de (cs.uni-sb.de [134.96.252.31])
	by uni-sb.de (8.9.1a/1998121400) with ESMTP id KAA12018;
	Wed, 16 Dec 1998 10:38:21 +0100 (CET)
Received: from cs.uni-sb.de (acc1-220.telip.uni-sb.de [134.96.113.220])
	by cs.uni-sb.de (8.9.1a/1998121400) with ESMTP id KAA27414;
	Wed, 16 Dec 1998 10:38:21 +0100 (CET)
Message-ID: <36778044.A8FDC865@cs.uni-sb.de>
Date: Wed, 16 Dec 1998 10:41:24 +0100
From: "D. Rock" <rock@cs.uni-sb.de>
X-Mailer: Mozilla 4.5 [de] (Win98; U)
X-Accept-Language: de
MIME-Version: 1.0
To: Matthew Dillon <dillon@apollo.backplane.com>
CC: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: kmem, tty, bind security enhancements commit.
References: <199812010551.VAA02953@apollo.backplane.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Matthew Dillon schrieb:
> 
>     (2)
> 
>         Add a 'bind' user and a 'bind' group to master.passwd
> 
>         Use bind-8's -u and -g features to run named as bind:bind
>         in the default rc.conf:
> 
>             named_flags="-u bind -g bind"
> 
>         (Or find a way to figure out whether this uid/gid exists
>         and use the options or not use the options based on that,
>         which is more compatible with prior installations but adds
>         complexity that will quickly become stale.  I suggest simply
>         making it the default in the CVS tree).
> 
>         Cavet: in a multi-interface situation, with an interface
>         that is brought up later, and so forth, named will not
>         be able to automatically rebind and must be restarted.
> 
>         (Also ensure that named.conf is either group-bind-readable or
>         world readable).
Only a small glitch:
% ndc reload
now gives you everytime an
named[24812]: couldn't create pid file '/var/run/named.pid'
error message to syslog.
It isn't a big deal, because on reload the pid doesn't change. But
it's still annoying.

Daniel

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message