Re: Why not sandbox BIND?

kupek (kupekslipstreams.net)
Sat, 13 Nov 1999 00:01:36 -0800

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mark D. Anderson: "SYN flood and freebsd?"
• Previous message: Nate Williams: "Re: Why not sandbox BIND?"
• In reply to: Pierre Beyssac: "Re: Why not sandbox BIND?"

True, BIND can't be sandbox'd by default. But as someone said earlier, it
should be pretty simple to add an option for rc.conf that will let people
sandbox bind, and a warning that they shouldn't do it with a dynamic IP..
true, its not necessary, but it would probably be helpful to at least a few
people.

----- Original Message -----
From: Matthew Dillon <dillonapollo.backplane.com>
To: Barry Irwin <bvirucus.ru.ac.za>
Subject: Re: Why not sandbox BIND?

:> > --Brett
:>
:> You are _quite_ a way behind. I believe that almost all of the 3.X
releases
:> have had this ability. (If you're running later mergemaster is your
friend ;)
:
:3.2 System CVSup'd doesnt have it by default
:su-2.03# cat /etc/passwd | grep named
:su-2.03# uname -a
:FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21

    Try greping for 'bind', not 'named'. And it would have to be a fresh
    install rather then an upgrade. There is also a newly added 'bind'
group.

    3.x also has the ability to sandbox comsat and ntalk and, in fact, this
    is the default now for these programs. We can't do the same for bind
    because certain aspects of the program (such as rebinding for dynamic
    interface changes) fail to operate properly in a sandboxed environment.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Mark D. Anderson: "SYN flood and freebsd?"
• Previous message: Nate Williams: "Re: Why not sandbox BIND?"
• In reply to: Pierre Beyssac: "Re: Why not sandbox BIND?"

This archive was generated by hypermail 2.0b3 on Sat Nov 13 1999 - 01:59:43 CST