From owner-cvs-all  Fri Dec 18 11:54:34 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA21558
          for cvs-all-outgoing; Fri, 18 Dec 1998 11:54:34 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from burka.rdy.com (burka.rdy.com [205.149.163.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21549
          for <committers@FreeBSD.ORG>; Fri, 18 Dec 1998 11:54:29 -0800 (PST)
          (envelope-from dima@burka.rdy.com)
Received: (from dima@localhost)
	by burka.rdy.com (8.9.1/RDY&DVV) id LAA48390;
	Fri, 18 Dec 1998 11:54:03 -0800 (PST)
Message-Id: <199812181954.LAA48390@burka.rdy.com>
Subject: Re: Bind sandbox bogosity
In-Reply-To: <19981217132343.R68793@follo.net> from Eivind Eklund at "Dec 17, 1998  1:23:43 pm"
To: eivind@yes.no (Eivind Eklund)
Date: Fri, 18 Dec 1998 11:54:03 -0800 (PST)
Cc: des@flood.ping.uio.no, Jos.Backus@nl.origin-it.com, committers@FreeBSD.ORG
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

Eivind Eklund writes:
> On Thu, Dec 17, 1998 at 07:44:37AM +0100, Dag-Erling Smorgrav wrote:
> > Jos Backus <Jos.Backus@nl.origin-it.com> writes:
> > > On Tue, Dec 15, 1998 at 02:41:17AM +0100, Dag-Erling Smorgrav wrote:
> > > > Solution 1: don't run named as bind:bind (and consequently back out
> > > >   revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of
> > > >   src/etc/mtree/BSD.root.dist)
> > > > 
> > > > Solution 2: hack bind to temporarily regain privs when HUPed.
> > > 
> > > Solution 3: hack update_pid_file()/write_open() in ns_config.c to use
> > >             ftruncate() instead of unlink() and subsequently
> > > 	    chown bind:bind /var/run/named.pid.
> > 
> > There are more serious problems with running named in a sandbox which
> > your solution doesn't address (e.g. not being able to rescan
> > interfaces).
> 
> Can we put DNSSANDBOX (or something like that) in /etc/rc.conf?  I
> would like to make it very, very easy to make it run in a sandbox...

I think it's a good idea.

> 
> Eivind.
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message