From owner-freebsd-questions Fri Dec 15 13:58:43 2000 From owner-freebsd-questions@FreeBSD.ORG Fri Dec 15 13:58:41 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 3E5E437B400 for ; Fri, 15 Dec 2000 13:58:41 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBFLwCM06094; Fri, 15 Dec 2000 16:58:12 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 15 Dec 2000 16:58:12 -0500 (EST) From: Rob Simmons To: Peter Brezny Cc: freebsd-questions@FreeBSD.ORG Subject: Re: sandbox clarification. In-Reply-To: <003001c066f5$6b4860a0$46010a0a@sysadmininc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG It can be a bit confusing the first time you setup a chroot'd or jail'd environment, but it is definitely worth it. I actually have bind running as an unpriviliged user in a chroot'd environment, which is in turn inside of a jail'd vm. :) Bind is a historically rootable daemon. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 15 Dec 2000, Peter Brezny wrote: > I recently posted a question about running named in a sandbox vs in a > chrooted environment. > > the named.conf sample that came with my 4.2-sable install, contains wording > that leads one to believe a 'sandbox' is equivalent to running named as in > unpriviliged user, since it claims that named runs in a sandbox by default > and asks you to see the named_flags in rc.conf (defaults we are left to > assume) where again there are some commented out lines that enable running > named as an unpriviliged user. man security also refers to these commented > out lines as where you enable running named in a sandbox. However, the > named flag -t is not in the named.conf example provided. > > This is what led me to believe 'sandbox' = unpriviliged user, not, chrooted > or jailed environment. > > Sorry for the confusion, I'll use the more clear terminology (unpriviliged > user, jail, chroot) rather than the lame sandbox descriptor in the future. > > NOW, > > if you are running named under an unpriviliged user, is it still a good idea > (worth the extra time and headache) to set it up to run in a chrooted > environment? > > TIA encore > > Peter Brezny > SysAdmin Services Inc. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message