From owner-freebsd-security  Fri Nov 12  9:30:48 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id D8D4B1519E
	for <security@FreeBSD.ORG>; Fri, 12 Nov 1999 09:30:33 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA29096;
	Fri, 12 Nov 1999 10:29:38 -0700 (MST)
Message-Id: <4.2.0.58.19991112102519.045cf510@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Fri, 12 Nov 1999 10:26:43 -0700
To: Peter Wemm <peter@netplex.com.au>,
	Bill Fumerola <billf@chc-chimes.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Why not sandbox BIND? 
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG
In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au>
References: <Your message of "Fri, 12 Nov 1999 09:22:52 EST." <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It'd be a shame if a PPP dial-up server couldn't sandbox BIND,
since it's a good idea to keep a DNS server as close to the
dial-ups as possible. Any ideas about how one might work around
this, short of going to a capabilities-based security model?

--Brett

At 11:45 PM 11/12/1999 +0800, Peter Wemm wrote:

>*Beware* - do not do this if you have dyanmic interface configuration, eg
>if you run ppp[d] or anything.  Bind depends on being able to bind to port
>53 if the interface configuration changes.  This is why it's not on by
>default.
>
>Cheers,
>-Peter




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message