From owner-freebsd-security Sun Nov 14 8: 3:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id BFDD214C9A for ; Sun, 14 Nov 1999 08:03:04 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: (qmail 20498 invoked by uid 1000); 14 Nov 1999 16:03:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Nov 1999 16:03:47 -0000 Date: Sun, 14 Nov 1999 11:03:47 -0500 (EST) From: Barrett Richardson To: Brett Glass Cc: Peter Wemm , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, I got a bounce from hub on this message but here it is in the list, curious. Oh well I'll add a couple of things. On Sun, 14 Nov 1999, Barrett Richardson wrote: > > > On Fri, 12 Nov 1999, Brett Glass wrote: > > > It'd be a shame if a PPP dial-up server couldn't sandbox BIND, > > since it's a good idea to keep a DNS server as close to the > > dial-ups as possible. Any ideas about how one might work around > > this, short of going to a capabilities-based security model? > > > > --Brett > > > > I run bind on my box I dial an ISP with, I just use a directive like I failed to mention I have it sandboxed with "-u bind -g bind". I get a dynamic ip assignment on dial up and it works ok. > > listen-on port 53 { > 127.0.0.1; > }; > > For a dial up server you should be able to add a routable ip to the > loopback and listen on that. After a little more thought, this is unnecessary, you could add the listen-on directive for any ip on a interface which is not subject to change, like an ethernet. - Barrett (again) > > - > > Barrett > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message