Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Dec 1998 16:30:14 +0100
From:      sthaug@nethelp.no
To:        eivind@yes.no
Cc:        des@flood.ping.uio.no, dillon@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: cvs commit: src/etc rc.conf
Message-ID:  <18927.914254214@verdi.nethelp.no>
In-Reply-To: Your message of "Mon, 21 Dec 1998 16:11:10 %2B0100"
References:  <19981221161110.E14124@follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > If named is run in the sandbox, it will have to be restarted every
> > time an interface comes up after being down an hour or more - less if
> > you lower interface-interval in /etc/namedb/named.conf, which you
> > probably will if you run a caching nameserver on a box that has a
> > dynamic IP address (e.g. a dialout gateway). It will also complain
> > loudly every time it receives any of SIGHUP, SIGINT, SIGILL, SIGSYS or
> > SIGTERM unless you perform the appropriate named.conf magic to move
> > the pid and dump files to a directory writeable by bind:bind.
> > 
> > OBTW, the /etc/named/s/ hack is just that - a hack, and an ugly one at
> > that.
> > 
> > You'll just have to come to terms with the fact that named needs
> > privs.
> 
> ... unless you do a series of small modifications.  It is not as if
> rescanning the interfaces is a _large_ task, or one that couldn't be
> done by a forked out half of named, decreasing the chance of a problem
> spreading.

named, possibly with some small modifications, could easily run in the
sandbox for a fairly large class of important configurations, namely
the ISP which runs primary and/or secondary service for thousands of
domains on one box - and this box is a dedicated name server.

(On such a box, interfaces change rarely if at all - so I would be
quite comfortable with removing the code for rescanning of interfaces.
An initial scan would still be necessary.)

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18927.914254214>