Date: Fri, 12 Nov 1999 17:24:38 +0100 From: Pierre Beyssac <beyssac@enst.fr> To: Alain Thivillon <Alain.Thivillon@hsc.fr>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112172438.A57962@enst.fr> In-Reply-To: <19991112170835.J352@yoko.hsc.fr>; from Alain Thivillon on Fri, Nov 12, 1999 at 05:08:35PM %2B0100 References: <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com> <19991112154559.DAC251C6D@overcee.netplex.com.au> <19991112170835.J352@yoko.hsc.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 12, 1999 at 05:08:35PM +0100, Alain Thivillon wrote: > > if you run ppp[d] or anything. Bind depends on being able to bind to port > > 53 if the interface configuration changes. This is why it's not on by > > default. > > You should also please note that the sandbox should be in same FS as > /var/run/log if you want logging via syslog continue working. You don't need this. /var/run/log can be a symbolic link to /chroot/var/run/log, then you start sysglod with option -p /chroot/var/run/log. The only gotcha is that you need to cleanup /chroot/var/run/ at startup or syslogd won't start. That's what I use on ns.eu.org but it took me some time for figure it out... Even better, you can use syslogd's -l option to create as many /chroot/dev/log as you need for chrooted environements, as explained by Craig Rowland in his paper. Then you don't need any symbolic or hard link stuff. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112172438.A57962>