Date: Thu, 23 Aug 2001 17:18:32 -0400 (EDT) From: Mike Silbersack <silby@silby.com> To: Brian Somers <brian@Awfulhak.org> Cc: Matt Dillon <dillon@earth.backplane.com>, Chris Dillon <cdillon@wolves.k12.mo.us>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Jun Kuriyama <kuriyama@imgsrc.co.jp>, <cvs-committers@FreeBSD.ORG>, <cvs-all@FreeBSD.ORG>, <brian@freebsd-services.com> Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf Message-ID: <Pine.BSF.4.30.0108231705050.76401-100000@niwun.pair.com> In-Reply-To: <200108232021.f7NKLUg86106@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Aug 2001, Brian Somers wrote: > > 2. rc.conf is amended with some fancy shell scripting that mails root and > > says "You're not using sandboxing! Read this url and figure it out, it > > will be the default in 4.5" > > So anybody that wants named to run as root so that it can bind to > addresses that are configured after named has started gets to suffer > these emails ? > > Are you saying that *you* know better than the person running a given > machine ? I think not. I think that anyone running BIND as root deserves to know the risk they're putting themselves in. Look at BIND 8's history and tell me that it's a completely safe application to run as root. When protection against being rooted is this easy, people should be using it. The case of running a dns server on dynamic interfaces is irrelevant. Such a server would be useless anyway, since nobody could find it. Maybe there's one or two people who have some really weird situation which requires such a setup, but I'm sure that's a really small amount of people. Clearly it's not going to be easy to set the defaults to use bind:bind without breaking some configurations. However, this is something that _should_ be done. This would be a much more productive conversation if you could put forward some ideas on how to make the transition as painless as possible. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0108231705050.76401-100000>