Date: Thu, 23 Aug 2001 14:19:21 -0400 (EDT) From: Mike Silbersack <silby@silby.com> To: Brian Somers <brian@Awfulhak.org> Cc: Matt Dillon <dillon@earth.backplane.com>, Chris Dillon <cdillon@wolves.k12.mo.us>, "Andrey A. Chernov" <ache@nagual.pp.ru>, Jun Kuriyama <kuriyama@imgsrc.co.jp>, <cvs-committers@FreeBSD.ORG>, <cvs-all@FreeBSD.ORG>, <brian@freebsd-services.com> Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf Message-ID: <Pine.BSF.4.30.0108231414260.29579-100000@niwun.pair.com> In-Reply-To: <200108231756.f7NHu3g82765@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Aug 2001, Brian Somers wrote: > > As long as people follow the instructions when setting up secondariese, > > the sandbox will 'just work'. I think this is doable and reasonable, > > and I also think that since -stable is going to be with us for a long time > > we should seriously consider MFCing these changes. > > I'd have to object to any such MFC. It'll break peoples name servers > and that's unacceptable in -stable. Ok, how about if a more relaxed approach is taken: 1. Sandboxing becomes default in -current. 2. rc.conf is amended with some fancy shell scripting that mails root and says "You're not using sandboxing! Read this url and figure it out, it will be the default in 4.5" 3. Sandboxing becomes default in 4.5. I'm sure this would annoy some people, but it would be a good step forward in proactive security. The only problem I see is that I'm terrible at shell scripting, someone else would have to do the above. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0108231414260.29579-100000>