From owner-cvs-all  Thu Dec 17 04:24:13 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA18464
          for cvs-all-outgoing; Thu, 17 Dec 1998 04:24:13 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18446
          for <committers@FreeBSD.ORG>; Thu, 17 Dec 1998 04:24:02 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id NAA10340;
	Thu, 17 Dec 1998 13:23:44 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id NAA90808;
	Thu, 17 Dec 1998 13:23:43 +0100 (MET)
Message-ID: <19981217132343.R68793@follo.net>
Date: Thu, 17 Dec 1998 13:23:43 +0100
From: Eivind Eklund <eivind@yes.no>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
        Jos Backus <Jos.Backus@nl.origin-it.com>
Cc: committers@FreeBSD.ORG
Subject: Re: Bind sandbox bogosity
References: <xzpvhjembb6.fsf@flood.ping.uio.no> <19981216222430.A93098@hal.mpn.cp.philips.com> <xzpempzi7xm.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <xzpempzi7xm.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Thu, Dec 17, 1998 at 07:44:37AM +0100
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Thu, Dec 17, 1998 at 07:44:37AM +0100, Dag-Erling Smorgrav wrote:
> Jos Backus <Jos.Backus@nl.origin-it.com> writes:
> > On Tue, Dec 15, 1998 at 02:41:17AM +0100, Dag-Erling Smorgrav wrote:
> > > Solution 1: don't run named as bind:bind (and consequently back out
> > >   revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of
> > >   src/etc/mtree/BSD.root.dist)
> > > 
> > > Solution 2: hack bind to temporarily regain privs when HUPed.
> > 
> > Solution 3: hack update_pid_file()/write_open() in ns_config.c to use
> >             ftruncate() instead of unlink() and subsequently
> > 	    chown bind:bind /var/run/named.pid.
> 
> There are more serious problems with running named in a sandbox which
> your solution doesn't address (e.g. not being able to rescan
> interfaces).

Can we put DNSSANDBOX (or something like that) in /etc/rc.conf?  I
would like to make it very, very easy to make it run in a sandbox...

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message