From owner-cvs-all  Thu Aug 23 12:40:41 2001
Delivered-To: cvs-all@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3811C37B409; Thu, 23 Aug 2001 12:40:34 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id AAD0066E31; Thu, 23 Aug 2001 12:40:33 -0700 (PDT)
Date: Thu, 23 Aug 2001 12:40:33 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Jun Kuriyama <kuriyama@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf
Message-ID: <20010823124033.A90942@xor.obsecurity.org>
References: <200108231334.f7NDYkK79251@freefall.freebsd.org> <20010823174457.A27360@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010823174457.A27360@nagual.pp.ru>; from ache@nagual.pp.ru on Thu, Aug 23, 2001 at 05:44:58PM +0400
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Aug 23, 2001 at 05:44:58PM +0400, Andrey A. Chernov wrote:
> On Thu, Aug 23, 2001 at 06:34:46 -0700, Jun Kuriyama wrote:
> > kuriyama    2001/08/23 06:34:46 PDT
> >=20
> >   Modified files:
> >     etc/defaults         rc.conf=20
> >     etc/mtree            BSD.var.dist=20
> >     etc/namedb           named.conf=20
> >   Log:
> >   Invoke named with privilege of bind:bind.
> >   Change pidfile location to /var/run/named/pid.
>=20
> Is it discussed or I miss something? We already have an option to run it
> in bind sandbox, but as non-default option. Some functions not works in
> bind sandbox, I don't remember exactly at this moment.

With my security officer hat on, I support this change.  It is not
suitable for everyone because of the interface binding problem, but
since named requires configuration before it can be used, slightly
changing the nature of that configuration process for some people is a
reasonable thing to do providing it's documented.

It's well past time we did this, and if there's ever another remote
hole in bind8, we'll all thank Kuriyama-san for doing it.

Kris

--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7hVwxWry0BWjoQKURAuY+AJ404klcQLIhwnA4aUHeaBKZO7BOpwCg9Y30
AiSoAFEwUO9Nkt1oNOZbFGY=
=VfUc
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message