From owner-cvs-all  Fri Dec 18 11:51:27 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA21160
          for cvs-all-outgoing; Fri, 18 Dec 1998 11:51:27 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21151
          for <committers@FreeBSD.ORG>; Fri, 18 Dec 1998 11:51:24 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id LAA04753;
	Fri, 18 Dec 1998 11:51:11 -0800 (PST)
	(envelope-from dillon)
Date: Fri, 18 Dec 1998 11:51:11 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199812181951.LAA04753@apollo.backplane.com>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: Eivind Eklund <eivind@yes.no>, Dag-Erling Smorgrav <des@flood.ping.uio.no>,
        Jos Backus <Jos.Backus@nl.origin-it.com>, committers@FreeBSD.ORG
Subject: Re: Bind sandbox bogosity
References: <xzpvhjembb6.fsf@flood.ping.uio.no> <19981216222430.A93098@hal.mpn.cp.philips.com> <xzpempzi7xm.fsf@flood.ping.uio.no> <19981217132343.R68793@follo.net> <xzpk8zp1rcp.fsf@flood.ping.uio.no>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

:Eivind Eklund <eivind@yes.no> writes:
:> Can we put DNSSANDBOX (or something like that) in /etc/rc.conf?  I
:> would like to make it very, very easy to make it run in a sandbox...
:
:Very easy - just set named_flags to "" instead of "-u bind -g bind".
:
:DES
:-- 
:Dag-Erling Smorgrav - des@flood.ping.uio.no

    Right.  It would probably be overkill to implement DNSSANDBOX.
    Much easier to simply leave named_flags set to "" for the
    next release and put the "-u bind -g bind" mode in a comment.

    What we need is a security man page that describes the steps 
    that can be taken to further secure the machine.  I'll 
    volunteer to get it started :-)

    apollo:/> man security
    No manual entry for security


    --

    Did anyone receive my email to hackers/committers in regards to
    implementing asleep() & await() ?  I haven't gotten a single 
    response to it!  And it ought to have elicited several dozen!

					-Matt

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message