Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Dec 1998 16:33:37 -0800 (PST)
From:      Studded <Studded@gorean.org>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Dag-Erling Smorgrav <des@flood.ping.uio.no>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/etc rc.conf
Message-ID:  <Pine.BSF.4.05.9812211628170.5002-100000@dt053n73.san.rr.com>
In-Reply-To: <199812212012.MAA47267@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 21 Dec 1998, Matthew Dillon wrote:

> 
> :Complaints? The naked truth is that it will not work in any but the
> :simplest setups, unless you add code to named to temporarily regain
> :privs before updating the pid file or rescanning interfaces. Doing so
> :will void any security the sandbox may give you, since it will make it
> :possible for hypothetical buffer overflow exploits to regain privs.
> 
>     My estimate is that the sandbox would work just fine on 99% of the 
>     FreeBSD installations out there.  The basic problem is that Paul Vixie
>     doesn't take sandboxes seriously so he doesn't bother fixing the crappy
>     interface scanning or UDP binding code to allow the use of a single IP.

	The docs clearly state that the whole concept of running bind as
an unprivileged user is a work in progress. There is more of it in 8.1.2
than there was in 8.1.1, and indications of the future plans. Given the
sorry state of funding for ISC projects (something which Vixie has no
control over) the fact that any work gets done on it is a plus. 



> Instead, bind goes out of its way to fart around with interface scanning
>     and rescanning and all sorts of shit that it doesn't need to do.

	Not if you make the proper changes to named.conf. 

	I haven't taken a serious look at the "sandbox" stuff for named in
a while, but both first impressions and traffic on the various bind
discussion groups indicates that it's doable for most installations. I'm
sorry that I didn't catch this effort on our part sooner, but one only has
so many hours in the day.

Doug
-- 
     Now you sailors know where your women come for love.
          "Zoot Suit Riot" - Cherry Poppin' Daddies



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812211628170.5002-100000>