Date: Mon, 15 Nov 1999 08:56:46 -0800 From: Cy Schubert <cschuber@uumail.gov.bc.ca> To: Peter Wemm <peter@netplex.com.au> Cc: Bill Fumerola <billf@chc-chimes.com>, Brett Glass <brett@lariat.org>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <199911151657.IAA61664@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Fri, 12 Nov 1999 23:45:59 %2B0800." <19991112154559.DAC251C6D@overcee.netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <19991112154559.DAC251C6D@overcee.netplex.com.au>, Peter Wemm writes : > Bill Fumerola wrote: > > On Thu, 11 Nov 1999, Brett Glass wrote: > > > > > I assume you mean rc.conf, not named.conf. > > > > > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > > > that selects a sandboxed configuration and is on by default. > > > Also, it'd be nice to have the user "named" already in /etc/passwd > > > and ready to go. > > > > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin > > > > You mean like that in src/etc/master.passwd? > > *Beware* - do not do this if you have dyanmic interface configuration, eg > if you run ppp[d] or anything. Bind depends on being able to bind to port > 53 if the interface configuration changes. This is why it's not on by > default. I use the following at home to restart named when I dial into work or my friend's ISP. It passes all arguments to named. /* * Compile with, * cc -O2 -o named8_mom named8_mom.c * strip named8_mom */ #include <stdio.h> #include <signal.h> #include <unistd.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/types.h> #include <sys/wait.h> #define NAMED_PATH "/usr/local/sbin/named" void kill_named(); void exit_named_mom(); int restart_named = 1; pid_t pid; int main(argc, argv) int argc; char **argv; { int status; int prio; if ((pid = fork()) < 0) { perror("daemon error"); exit(1); } else if (pid > 0) { exit(0); } if (setpgid(pid, pid) == -1) { perror("setpgid"); exit(1); } if (signal(SIGHUP, kill_named) == SIG_ERR) { perror("error setting SIGHUP"); exit(1); } if (signal(SIGTERM, exit_named_mom) == SIG_ERR) { perror("error setting SIGTERM"); exit(1); } if (signal(SIGINT, exit_named_mom) == SIG_ERR) { perror("error setting SIGINT"); exit(1); } prio = getpriority(PRIO_PROCESS, 0); if (setpriority(PRIO_PROCESS, 0, -20) != 0) { perror("main setpriority error"); exit(1); } while (restart_named) { if ((pid = vfork()) == 0) { int i; char *named_path = NAMED_PATH; char *nofork = "-f"; char *args[60]; if (setpriority(PRIO_PROCESS, 0, prio) != 0) { perror("child setpriority error"); sleep(10); exit(1); } args[0] = named_path; for (i = 1; i < argc; i++) { args[i] = argv[i]; } args[i++] = nofork; args[i] = NULL; execv(NAMED_PATH, args); perror("execv failed"); sleep(10); exit(1); } else if (pid > 0) { if (wait(&status) == -1) { perror("wait error"); } if (status != 0) { fprintf(stderr, "nonzero return code from named\n"); exit(1); } } else { perror("fork failed"); exit(1); } } exit(0); } void kill_named() { if (kill(pid,SIGTERM) != 0) { perror("named kill failed"); restart_named = 0; exit(1); } } void exit_named_mom() { kill_named(); restart_named = 0; } Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911151657.IAA61664>