From owner-freebsd-security  Mon Dec 21 07:25:19 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA04354
          for freebsd-security-outgoing; Mon, 21 Dec 1998 07:25:19 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04326;
          Mon, 21 Dec 1998 07:25:16 -0800 (PST)
          (envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.1/8.9.1) id QAA35715;
	Mon, 21 Dec 1998 16:25:09 +0100 (CET)
	(envelope-from des)
To: Eivind Eklund <eivind@yes.no>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
        Matt Dillon <dillon@FreeBSD.ORG>, security@FreeBSD.ORG
Subject: Re: cvs commit: src/etc rc.conf
References: <199812190725.XAA05479@freefall.freebsd.org> <xzp67b5ft9e.fsf@flood.ping.uio.no> <19981221161110.E14124@follo.net>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 21 Dec 1998 16:25:08 +0100
In-Reply-To: Eivind Eklund's message of "Mon, 21 Dec 1998 16:11:10 +0100"
Message-ID: <xzpyao1ecvf.fsf@flood.ping.uio.no>
Lines: 26
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Eivind Eklund <eivind@yes.no> writes:
> On Mon, Dec 21, 1998 at 03:45:49PM +0100, Dag-Erling Smorgrav wrote:
> > Matt Dillon <dillon@FreeBSD.ORG> writes:
> > If named is run in the sandbox, it will have to be restarted every
> > time an interface comes up after being down an hour or more - less if
> > you lower interface-interval in /etc/namedb/named.conf, which you
> > probably will if you run a caching nameserver on a box that has a
> > dynamic IP address (e.g. a dialout gateway). It will also complain
> > loudly every time it receives any of SIGHUP, SIGINT, SIGILL, SIGSYS or
> > SIGTERM unless you perform the appropriate named.conf magic to move
> > the pid and dump files to a directory writeable by bind:bind.
> 
> ... unless you do a series of small modifications.  It is not as if
> rescanning the interfaces is a _large_ task, or one that couldn't be
> done by a forked out half of named

Umm, the problem isn't scanning interfaces, the problem is binding to
them, which needs to be done by the parent, so you can't delegate
interface rescanning to a child process. Or rather, you can, but it
won't matter since at some point the child will need to communicate
its results to the parent which will then attempt to bind to port 53
on interfaces it's not yet bound to, for which it needs privs.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message