Date: Thu, 1 Feb 2001 10:40:12 -0800 (PST) From: Stefan Molnar <stefan@csudsu.com> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Gordon Tetlow <gordont@bluemtn.net>, Vivek Khera <khera@kciLink.com>, <stable@FreeBSD.ORG> Subject: Re: chrooting bind Message-ID: <Pine.BSF.4.31.0102011038530.4036-100000@digital.csudsu.com> In-Reply-To: <xzpk87auueo.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I am not putting the entire kitchen sink in there. On 1 Feb 2001, Dag-Erling Smorgrav wrote: > Stefan Molnar <stefan@csudsu.com> writes: > > I see where you are coming from now. On this system I attempted > > to be more complete, basicly give it everything > > That totally defeats the point of running in a sandbox. > > > and attempt to > > depend on nothing outside the sandbox. > > The point is to have as little as possible inside the sandbox. You > need named-xfer if you have slave zones, but you do not need any other > binaries, you do not need any libraries (link named-xfer statically!) > and you certainly don't need any device nodes. > > ANYTHING YOU PUT IN THE SANDBOX WILL BE AVAILABLE TO INTRUDERS WHEN > THEY BREAK INTO YOUR SYSTEM. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0102011038530.4036-100000>