Date: Thu, 17 Dec 1998 13:23:43 +0100 From: Eivind Eklund <eivind@yes.no> To: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Jos Backus <Jos.Backus@nl.origin-it.com> Cc: committers@FreeBSD.ORG Subject: Re: Bind sandbox bogosity Message-ID: <19981217132343.R68793@follo.net> In-Reply-To: <xzpempzi7xm.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Thu, Dec 17, 1998 at 07:44:37AM %2B0100 References: <xzpvhjembb6.fsf@flood.ping.uio.no> <19981216222430.A93098@hal.mpn.cp.philips.com> <xzpempzi7xm.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 17, 1998 at 07:44:37AM +0100, Dag-Erling Smorgrav wrote: > Jos Backus <Jos.Backus@nl.origin-it.com> writes: > > On Tue, Dec 15, 1998 at 02:41:17AM +0100, Dag-Erling Smorgrav wrote: > > > Solution 1: don't run named as bind:bind (and consequently back out > > > revision 1.64 of src/etc/rc.conf and revisions 1.33 and 1.32 of > > > src/etc/mtree/BSD.root.dist) > > > > > > Solution 2: hack bind to temporarily regain privs when HUPed. > > > > Solution 3: hack update_pid_file()/write_open() in ns_config.c to use > > ftruncate() instead of unlink() and subsequently > > chown bind:bind /var/run/named.pid. > > There are more serious problems with running named in a sandbox which > your solution doesn't address (e.g. not being able to rescan > interfaces). Can we put DNSSANDBOX (or something like that) in /etc/rc.conf? I would like to make it very, very easy to make it run in a sandbox... Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981217132343.R68793>