Skip site navigation (1)Skip section navigation (2)
Date:      01 Feb 2001 19:31:43 +0100
From:      Dag-Erling Smorgrav <des@ofug.org>
To:        Stefan Molnar <stefan@csudsu.com>
Cc:        Gordon Tetlow <gordont@bluemtn.net>, Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG>
Subject:   Re: chrooting bind
Message-ID:  <xzpk87auueo.fsf@flood.ping.uio.no>
In-Reply-To: Stefan Molnar's message of "Thu, 1 Feb 2001 10:26:44 -0800 (PST)"
References:  <Pine.BSF.4.31.0102011024300.4036-100000@digital.csudsu.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Stefan Molnar <stefan@csudsu.com> writes:
> I see where you are coming from now.   On this system I attempted
> to be more complete, basicly give it everything

That totally defeats the point of running in a sandbox.

>                                                  and attempt to
> depend on nothing outside the sandbox.

The point is to have as little as possible inside the sandbox. You
need named-xfer if you have slave zones, but you do not need any other
binaries, you do not need any libraries (link named-xfer statically!)
and you certainly don't need any device nodes.

ANYTHING YOU PUT IN THE SANDBOX WILL BE AVAILABLE TO INTRUDERS WHEN
THEY BREAK INTO YOUR SYSTEM.
 
DES
-- 
Dag-Erling Smorgrav - des@ofug.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpk87auueo.fsf>