Date: Sun, 25 Jul 1999 15:50:49 -0700 (PDT) From: Mike Hoskins <mike@snafu.adept.org> To: Sue Blake <sue@welearn.com.au> Cc: security@FreeBSD.ORG Subject: Re: sandbox?? Message-ID: <Pine.BSF.4.10.9907251539570.24644-100000@snafu.adept.org> In-Reply-To: <19990726065455.N7324@welearn.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 26 Jul 1999, Sue Blake wrote: > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. I really don't understand all the confusion. A quick search for 'BIND sandbox' turned up hits for me. BIND 8, as well, is one of the most documented services in existence. If you prefer online documentation, there's ISC's numerous resources and a plethora of mirrors (antisocial.net is one). If you like hard copies, DNS & BIND 3rd. Ed. is great for BIND 4.x and 8.x. Re: BIND Sandbox, see http://www.psionic.com/papers/dns/dns-openbsd/ for a general idea of what we're talking about, and how many of us were implementing this before it was a default 'feature'. I'm glad to finally see it included. I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great. Rather than setting up a non-standard chroot() area I just kept /etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774 /etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to named.conf so named wouldn't need access to /var/run. Mike Hoskins <mike@adept.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907251539570.24644-100000>