From owner-cvs-all  Mon Dec 14 17:41:28 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA17116
          for cvs-all-outgoing; Mon, 14 Dec 1998 17:41:28 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA17106
          for <committers@FreeBSD.ORG>; Mon, 14 Dec 1998 17:41:24 -0800 (PST)
          (envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.1/8.9.1) id CAA06503;
	Tue, 15 Dec 1998 02:41:18 +0100 (CET)
	(envelope-from des)
To: committers@FreeBSD.ORG
Subject: Bind sandbox bogosity
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 15 Dec 1998 02:41:17 +0100
Message-ID: <xzpvhjembb6.fsf@flood.ping.uio.no>
Lines: 18
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

One side-effect of forcing named to run as bind:bind is that when you
HUP it, it tries to recreate the pid file (update_pid_file(), which is
called from load_configuration(), both in ns_config.c), but can't
because it doesn't have privs any more and /var/run is only writeable
by root. Another, far more serious, side-effect is that when it
rescans interfaces (normally every 60 minutes) and finds an interface
it wasn't already bound to, it'll try to bind to it, and fail
miserably because only root can bind to port 53.

Solution 1: don't run named as bind:bind (and consequently back out
  revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of
  src/etc/mtree/BSD.root.dist)

Solution 2: hack bind to temporarily regain privs when HUPed.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message