Date: Mon, 15 Nov 1999 08:56:46 -0800 From: Cy Schubert <cschuber@uumail.gov.bc.ca> To: Peter Wemm <peter@netplex.com.au> Cc: Bill Fumerola <billf@chc-chimes.com>, Brett Glass <brett@lariat.org>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <199911151657.IAA61664@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Fri, 12 Nov 1999 23:45:59 %2B0800." <19991112154559.DAC251C6D@overcee.netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <19991112154559.DAC251C6D@overcee.netplex.com.au>, Peter Wemm
writes
:
> Bill Fumerola wrote:
> > On Thu, 11 Nov 1999, Brett Glass wrote:
> >
> > > I assume you mean rc.conf, not named.conf.
> > >
> > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf
> > > that selects a sandboxed configuration and is on by default.
> > > Also, it'd be nice to have the user "named" already in /etc/passwd
> > > and ready to go.
> >
> > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
> >
> > You mean like that in src/etc/master.passwd?
>
> *Beware* - do not do this if you have dyanmic interface configuration, eg
> if you run ppp[d] or anything. Bind depends on being able to bind to port
> 53 if the interface configuration changes. This is why it's not on by
> default.
I use the following at home to restart named when I dial into work or my
friend's ISP. It passes all arguments to named.
/*
* Compile with,
* cc -O2 -o named8_mom named8_mom.c
* strip named8_mom
*/
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#define NAMED_PATH "/usr/local/sbin/named"
void kill_named();
void exit_named_mom();
int restart_named = 1;
pid_t pid;
int
main(argc, argv)
int argc;
char **argv;
{
int status;
int prio;
if ((pid = fork()) < 0) {
perror("daemon error");
exit(1);
} else if (pid > 0) {
exit(0);
}
if (setpgid(pid, pid) == -1) {
perror("setpgid");
exit(1);
}
if (signal(SIGHUP, kill_named) == SIG_ERR) {
perror("error setting SIGHUP");
exit(1);
}
if (signal(SIGTERM, exit_named_mom) == SIG_ERR) {
perror("error setting SIGTERM");
exit(1);
}
if (signal(SIGINT, exit_named_mom) == SIG_ERR) {
perror("error setting SIGINT");
exit(1);
}
prio = getpriority(PRIO_PROCESS, 0);
if (setpriority(PRIO_PROCESS, 0, -20) != 0) {
perror("main setpriority error");
exit(1);
}
while (restart_named) {
if ((pid = vfork()) == 0) {
int i;
char *named_path = NAMED_PATH;
char *nofork = "-f";
char *args[60];
if (setpriority(PRIO_PROCESS, 0, prio) != 0) {
perror("child setpriority error");
sleep(10);
exit(1);
}
args[0] = named_path;
for (i = 1; i < argc; i++) {
args[i] = argv[i];
}
args[i++] = nofork;
args[i] = NULL;
execv(NAMED_PATH, args);
perror("execv failed");
sleep(10);
exit(1);
} else if (pid > 0) {
if (wait(&status) == -1) {
perror("wait error");
}
if (status != 0) {
fprintf(stderr, "nonzero return code from named\n");
exit(1);
}
} else {
perror("fork failed");
exit(1);
}
}
exit(0);
}
void
kill_named()
{
if (kill(pid,SIGTERM) != 0) {
perror("named kill failed");
restart_named = 0;
exit(1);
}
}
void
exit_named_mom()
{
kill_named();
restart_named = 0;
}
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Province of BC
"e**(i*pi)+1=0"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911151657.IAA61664>