Date: Sun, 25 Jul 1999 22:02:19 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Mike Hoskins <mike@snafu.adept.org> Cc: Sue Blake <sue@welearn.com.au>, security@FreeBSD.ORG Subject: Re: sandbox?? Message-ID: <199907260502.WAA42888@apollo.backplane.com> References: <Pine.BSF.4.10.9907251539570.24644-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great.
:Rather than setting up a non-standard chroot() area I just kept
:/etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774
:/etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to
:named.conf so named wouldn't need access to /var/run.
:
:Mike Hoskins
:<mike@adept.org>
Ouch, I wouldn't do that! Leave the files and directories that named
only reads owned by root and modes 644 or 755. Only files and directories
that named *writes* needs to be owned by the sandbox... that usually means
the secondary zone directory, which I usually create a subdirectory for.
For the same reason, named and its support binaries should be owned by
root even if run as user bind.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907260502.WAA42888>