Date: Thu, 11 Nov 1999 22:09:33 -0700 From: Brett Glass <brett@lariat.org> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <4.2.0.58.19991111220759.044f46d0@localhost> In-Reply-To: <199911112346.PAA65881@cwsys.cwsent.com> References: <Your message of "Thu, 11 Nov 1999 16:10:53 MST." <4.2.0.58.19991111160840.042469d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
I assume you mean rc.conf, not named.conf. In any case, maybe there should be a "sandbox BIND" flag in rc.conf that selects a sandboxed configuration and is on by default. Also, it'd be nice to have the user "named" already in /etc/passwd and ready to go. --Brett At 03:46 PM 11/11/1999 -0800, Cy Schubert - ITSD Open Systems Group wrote: >In message <4.2.0.58.19991111160840.042469d0@localhost>, Brett Glass writes: > > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the > > CERT advisory would be moot. > > > > Should the same be done by default in FreeBSD? There's no reason for BIND > > to be privileged. > >Just put something like the following in named.conf. > >named_flags="-c /usr/local/etc/namedb/named.conf -u named -g named -t /var/named" > > >Regards, Phone: (250)387-8437 >Cy Schubert Fax: (250)387-5766 >Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca >ITSD Cy.Schubert@gems8.gov.bc.ca >Province of BC > "e**(i*pi)+1=0" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991111220759.044f46d0>