From owner-cvs-all  Mon Dec 14 18:44:50 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA27121
          for cvs-all-outgoing; Mon, 14 Dec 1998 18:44:50 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA27110
          for <committers@FreeBSD.ORG>; Mon, 14 Dec 1998 18:44:48 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id SAA50480;
	Mon, 14 Dec 1998 18:43:56 -0800 (PST)
	(envelope-from dillon)
Date: Mon, 14 Dec 1998 18:43:56 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199812150243.SAA50480@apollo.backplane.com>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: committers@FreeBSD.ORG
Subject: Re: Bind sandbox bogosity
References:  <xzpvhjembb6.fsf@flood.ping.uio.no>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

    The first problem is a non-problem, i.e. a bogus
    warning because HUPing named does not change it's
    pid.

    The second problem is real, and I did mention it.  However,
    my feeling is that running named in a sandbox is a basic
    security precaution that must be taken and that the vast
    majority of configurations will not have a problem with
    it.  It would be nice if there were a way to turn off
    the interface scanning junk, though.  named is the only
    major program I know that does that (a Vixie bogosity,
    in my view).

					-Matt

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

:
:One side-effect of forcing named to run as bind:bind is that when you
:HUP it, it tries to recreate the pid file (update_pid_file(), which is
:called from load_configuration(), both in ns_config.c), but can't
:because it doesn't have privs any more and /var/run is only writeable
:by root. Another, far more serious, side-effect is that when it
:rescans interfaces (normally every 60 minutes) and finds an interface
:it wasn't already bound to, it'll try to bind to it, and fail
:miserably because only root can bind to port 53.
:
:Solution 1: don't run named as bind:bind (and consequently back out
:  revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of
:  src/etc/mtree/BSD.root.dist)
:
:Solution 2: hack bind to temporarily regain privs when HUPed.
:
:DES
:-- 
:Dag-Erling Smorgrav - des@flood.ping.uio.no
:
:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message