Date: Fri, 18 Dec 1998 11:54:03 -0800 (PST) From: dima@best.net (Dima Ruban) To: eivind@yes.no (Eivind Eklund) Cc: des@flood.ping.uio.no, Jos.Backus@nl.origin-it.com, committers@FreeBSD.ORG Subject: Re: Bind sandbox bogosity Message-ID: <199812181954.LAA48390@burka.rdy.com> In-Reply-To: <19981217132343.R68793@follo.net> from Eivind Eklund at "Dec 17, 1998 1:23:43 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund writes: > On Thu, Dec 17, 1998 at 07:44:37AM +0100, Dag-Erling Smorgrav wrote: > > Jos Backus <Jos.Backus@nl.origin-it.com> writes: > > > On Tue, Dec 15, 1998 at 02:41:17AM +0100, Dag-Erling Smorgrav wrote: > > > > Solution 1: don't run named as bind:bind (and consequently back out > > > > revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of > > > > src/etc/mtree/BSD.root.dist) > > > > > > > > Solution 2: hack bind to temporarily regain privs when HUPed. > > > > > > Solution 3: hack update_pid_file()/write_open() in ns_config.c to use > > > ftruncate() instead of unlink() and subsequently > > > chown bind:bind /var/run/named.pid. > > > > There are more serious problems with running named in a sandbox which > > your solution doesn't address (e.g. not being able to rescan > > interfaces). > > Can we put DNSSANDBOX (or something like that) in /etc/rc.conf? I > would like to make it very, very easy to make it run in a sandbox... I think it's a good idea. > > Eivind. > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812181954.LAA48390>