Date: Fri, 12 Nov 1999 21:29:12 +0200 From: Barry Irwin <bvi@rucus.ru.ac.za> To: Josef Karthauser <joe@pavilion.net> Cc: Brett Glass <brett@lariat.org>, Bill Fumerola <billf@chc-chimes.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112212912.Z57266@rucus.ru.ac.za> In-Reply-To: <19991112173306.D76708@florence.pavilion.net>; from joe@pavilion.net on Fri, Nov 12, 1999 at 05:33:06PM %2B0000 References: <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri 1999-11-12 (17:33), Josef Karthauser wrote: > On Fri, Nov 12, 1999 at 10:24:44AM -0700, Brett Glass wrote: > > Our production systems are running an older version of FreeBSD (we > > always stay a bit behind the leading edge), so they do not have > > that user. > > > > --Brett > > You are _quite_ a way behind. I believe that almost all of the 3.X releases > have had this ability. (If you're running later mergemaster is your friend ;) 3.2 System CVSup'd doesnt have it by default su-2.03# cat /etc/passwd | grep named su-2.03# uname -a FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21 15:40:30 SAST 1999 bvi@shagrat.moria.org:/usr/src/sys/compile/bvi.SHAGRAT i386 Same on my other straight 3.2-STABLE system Adding a user for named is one of the first things I do on a new systen, along with adding a specific user for httpd , rather than the default nobody. IMO, most daemons that dont need any special privilege should be run as their own user, this includes things like squid, mail ( qmail has a nice broken up privilege levels model). Think it would be a good idea to possibly add these in by default on a New BSD install. No reason for named to run as root whatsoever ( well other than the inital bind) Barry -- -------------------------------------------------------------------------- Barry Irwin IRC: balin@zanet (#linux) bvi@moria.org http://rucus.ru.ac.za/~bvi Whois BI414 - PMPN8EZ - http://moria.org -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112212912.Z57266>