Date: Fri, 12 Nov 1999 10:26:43 -0700 From: Brett Glass <brett@lariat.org> To: Peter Wemm <peter@netplex.com.au>, Bill Fumerola <billf@chc-chimes.com> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <4.2.0.58.19991112102519.045cf510@localhost> In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au> References: <Your message of "Fri, 12 Nov 1999 09:22:52 EST." <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It'd be a shame if a PPP dial-up server couldn't sandbox BIND, since it's a good idea to keep a DNS server as close to the dial-ups as possible. Any ideas about how one might work around this, short of going to a capabilities-based security model? --Brett At 11:45 PM 11/12/1999 +0800, Peter Wemm wrote: >*Beware* - do not do this if you have dyanmic interface configuration, eg >if you run ppp[d] or anything. Bind depends on being able to bind to port >53 if the interface configuration changes. This is why it's not on by >default. > >Cheers, >-Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991112102519.045cf510>