From owner-freebsd-security  Mon Nov 15  8:58: 1 1999
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id DDC8714BDD
	for <security@FreeBSD.ORG>; Mon, 15 Nov 1999 08:57:56 -0800 (PST)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA23485;
	Mon, 15 Nov 1999 08:57:50 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda23481; Mon Nov 15 08:57:33 1999
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA61664;
	Mon, 15 Nov 1999 08:57:25 -0800 (PST)
Message-Id: <199911151657.IAA61664@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpdi61660; Mon Nov 15 08:56:46 1999
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 3.3-RELEASE
X-Sender: cschuber
To: Peter Wemm <peter@netplex.com.au>
Cc: Bill Fumerola <billf@chc-chimes.com>,
	Brett Glass <brett@lariat.org>,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG
Subject: Re: Why not sandbox BIND? 
In-reply-to: Your message of "Fri, 12 Nov 1999 23:45:59 +0800."
             <19991112154559.DAC251C6D@overcee.netplex.com.au> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 15 Nov 1999 08:56:46 -0800
From: Cy Schubert <cschuber@uumail.gov.bc.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <19991112154559.DAC251C6D@overcee.netplex.com.au>, Peter Wemm 
writes
:
> Bill Fumerola wrote:
> > On Thu, 11 Nov 1999, Brett Glass wrote:
> > 
> > > I assume you mean rc.conf, not named.conf.
> > > 
> > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf
> > > that selects a sandboxed configuration and is on by default.
> > > Also, it'd be nice to have the user "named" already in /etc/passwd
> > > and ready to go.
> > 
> > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
> > 
> > You mean like that in src/etc/master.passwd?
> 
> *Beware* - do not do this if you have dyanmic interface configuration, eg
> if you run ppp[d] or anything.  Bind depends on being able to bind to port
> 53 if the interface configuration changes.  This is why it's not on by
> default.

I use the following at home to restart named when I dial into work or my 
friend's ISP.  It passes all arguments to named.

/*
 * Compile with,
 *	cc -O2 -o named8_mom named8_mom.c 
 *      strip named8_mom
 */
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>

#define NAMED_PATH	"/usr/local/sbin/named"

void kill_named();
void exit_named_mom();

int restart_named = 1;
pid_t pid;

int
main(argc, argv)
int argc;
char **argv;
{
	int status;
	int prio;

	if ((pid = fork()) < 0) {
		perror("daemon error");
		exit(1);
	} else if (pid > 0) {
		exit(0);
	}

	if (setpgid(pid, pid) == -1) {
		perror("setpgid");
		exit(1);
	}

	if (signal(SIGHUP, kill_named) == SIG_ERR) {
		perror("error setting SIGHUP");
		exit(1);
	}
	if (signal(SIGTERM, exit_named_mom) == SIG_ERR) {
		perror("error setting SIGTERM");
		exit(1);
	}
	if (signal(SIGINT, exit_named_mom) == SIG_ERR) {
		perror("error setting SIGINT");
		exit(1);
	}

	prio = getpriority(PRIO_PROCESS, 0);
	if (setpriority(PRIO_PROCESS, 0, -20) != 0) {
		perror("main setpriority error");
		exit(1);
	}
	while (restart_named) {
		if ((pid = vfork()) == 0) {
			int i;
			char *named_path = NAMED_PATH;
			char *nofork = "-f";
			char *args[60];
			if (setpriority(PRIO_PROCESS, 0, prio) != 0) {
				perror("child setpriority error");
				sleep(10);
				exit(1);
			}
			args[0] = named_path;
			for (i = 1; i < argc; i++) {
				args[i] = argv[i];
			}
			args[i++] = nofork;
			args[i] = NULL;
			execv(NAMED_PATH, args);
			perror("execv failed");
			sleep(10);
			exit(1);
		} else if (pid > 0) {
			if (wait(&status) == -1) {
				perror("wait error");
			}
			if (status != 0) {
				fprintf(stderr, "nonzero return code from named\n");
				exit(1);
			}
		} else {
			perror("fork failed");
			exit(1);
		}
	}
	exit(0);
}

void
kill_named()
{
	if (kill(pid,SIGTERM) != 0) {
		perror("named kill failed");
		restart_named = 0;
		exit(1);
	}
}

void
exit_named_mom()
{
	kill_named();
	restart_named = 0;
}



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC            
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message