Date: Thu, 23 Aug 2001 13:11:01 -0400 (EDT) From: Mike Silbersack <silby@silby.com> To: Chris Dillon <cdillon@wolves.k12.mo.us> Cc: Brian Somers <brian@Awfulhak.org>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Jun Kuriyama <kuriyama@imgsrc.co.jp>, <cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org>, <brian@freebsd-services.com> Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf Message-ID: <Pine.BSF.4.30.0108231307280.29579-100000@niwun.pair.com> In-Reply-To: <Pine.BSF.4.32.0108231143390.75946-100000@mail.wolves.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Aug 2001, Chris Dillon wrote: > Yes, true. In -CURRENT this won't be a big deal. In -STABLE it is > probably good enough that we have a note in defaults/rc.conf that > named can be run in a sandbox. It doesn't really motivate one to do > so, though. Maybe instead of saying "it may be possible to run named > in a sandbox" we could be a little more assertive and say "it would be > a REALLY good idea if you ran named in a sandbox". Well, the difference is this. If the default behavior is changed, and an entry is added to UPDATING / the release notes, a few modem users will be annoyed. They will get over it quickly. If the default behavior is not changed, and another hole is found in BIND, thousands of boxes will be easily rootable. At this point in time, the many users of BIND will not be really happy when the advisory says "We told you to sandbox it in rc.conf!" So, the question in my mind isn't whether this change will break modem users; that's easy enough to fix and has a minimal impact. The question is: will enabling sandboxing potentially break systems which act as secondaries when they try to grab updated zones? _That_ would be a serious problem. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0108231307280.29579-100000>