Date: Thu, 1 Feb 2001 01:38:08 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <Pine.LNX.4.30.0102010132360.3617-100000@jamus.xpert.com> In-Reply-To: <20010131145423.H26076@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Jan 2001, Alfred Perlstein wrote: > * Brian Behlendorf <brian@collab.net> [010131 14:47] wrote: > > On Wed, 31 Jan 2001, Alfred Perlstein wrote: > > > * Roman Shterenzon <roman@xpert.com> [010131 13:56] wrote: > > > > On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > > > > > > > > > ============================================================================= > > > > > FreeBSD-SA-01:18 Security Advisory > > > > > > > > > > Topic: BIND remotely exploitable buffer overflow > > > > ..snip.. > > > > > > > > Why not make it default in the base system? > > > > > > It has been, but only for several days. > > > > I think he meant, why not set those recommendations for running as user > > "bind" and in a chroot jail as the default? Unless I'm missing something, > > that's not the case currently: > > > > [yez] 2:47pm ~ > fgrep -i named_flag /etc/defaults/rc.conf > > named_flags="" # Flags for named > > #named_flags="-u bind -g bind" # Flags for named > > Since named supports a command line option for chroot as well > as user flags (-t) it would be trivial to have it the defaultt. > > It's pretty much a toss-up between usability and security. It's more secure than "unusable" :) > I guess this is the final blow for me, and I think we should > run bind in a sandbox at this point, I'm just worried about > confusing newbies who wish to set it up. That was my point. > If anyone has a proposal on doing it by default that doesn't > impact ease of use (or if already doesn't impact it) then I'm > for it. Change /etc/defaults/rc.conf and tweak named installation to chown /var/named; add user named and group named to shipping /etc/passwd and /etc/group > What I'm worrying about specifically is ndc and other utilities > basically are unix domain sockets not in the expected place all of > sudden? Hmm.. interesting point. I guess they are created in /var/named which is accessible from the outer world. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0102010132360.3617-100000>