Date: Sun, 14 Nov 1999 11:03:47 -0500 (EST) From: Barrett Richardson <barrett@phoenix.aye.net> To: Brett Glass <brett@lariat.org> Cc: Peter Wemm <peter@netplex.com.au>, Bill Fumerola <billf@chc-chimes.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <Pine.BSF.4.01.9911141056170.16333-100000@phoenix.aye.net> In-Reply-To: <Pine.BSF.4.01.9911140848330.29218-100000@phoenix.aye.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm, I got a bounce from hub on this message but here it is in the
list, curious. Oh well I'll add a couple of things.
On Sun, 14 Nov 1999, Barrett Richardson wrote:
>
>
> On Fri, 12 Nov 1999, Brett Glass wrote:
>
> > It'd be a shame if a PPP dial-up server couldn't sandbox BIND,
> > since it's a good idea to keep a DNS server as close to the
> > dial-ups as possible. Any ideas about how one might work around
> > this, short of going to a capabilities-based security model?
> >
> > --Brett
> >
>
> I run bind on my box I dial an ISP with, I just use a directive like
I failed to mention I have it sandboxed with "-u bind -g bind". I get
a dynamic ip assignment on dial up and it works ok.
>
> listen-on port 53 {
> 127.0.0.1;
> };
>
> For a dial up server you should be able to add a routable ip to the
> loopback and listen on that.
After a little more thought, this is unnecessary, you could add the
listen-on directive for any ip on a interface which is not subject to
change, like an ethernet.
-
Barrett (again)
>
> -
>
> Barrett
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9911141056170.16333-100000>