Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind

From: David Wolfskill (dhw@whistle.com)
Date: 02/01/01 

Date: Wed, 31 Jan 2001 15:25:20 -0800 (PST)
From: David Wolfskill <dhw@whistle.com>
To: freebsd-security@freebsd.org

>Date: Wed, 31 Jan 2001 15:15:31 -0800
>From: Alfred Perlstein <bright@wintelcom.net>

>> Quite a few people have been using the sandbox options in the
>> last year without any ill effects (I was the original author of
>> the feature). The only issue is that you cannot HUP named (it will
>> not be able to rebind its sockets), you can only restart it, and
>> you have to supply the proper options to ndc when restarting it
>> (-u bind -g bind). I usually restart it anyway (I don't trust the
>> named HUP code).

>> I think we can easily make it the default.

>If it breaks HUP, then not really. :)

janus# ps -axwwl|grep named
   53 21965 1 0 2 0 2352 1176 select Is ?? 0:09.82 /usr/sbin/named -u bind -g bind
    0 25313 289 2 -6 0 944 472 piperd S+ p0 0:00.01 grep named
janus# ndc reload
Reload initiated.
janus# uname -a
FreeBSD janus.catwhisker.org 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Wed Jan 24 07:08:56 PST 2001 root@bunrab.catwhisker.org:/usr/src/sys/compile/JANUS i386
janus#

(Note that uid "53" is that of "bind", not "root".)

Meanwhile, in /var/log/messages:

Jan 31 15:19:52 janus named[21965]: reloading nameserver
Jan 31 15:19:52 janus named[21965]: Ready to answer queries.

The other thing I did:

janus# ls -ld /var/run
drwxrwxrwt 2 root wheel 512 Jan 31 15:19 /var/run
janus# !!/named*
ls -ld /var/run/named*
-rw-r--r-- 1 bind bind 6 Jan 31 15:19 /var/run/named.pid
janus#

(The machine does not have "general logins" at all.)

>I'm not sure how bind handles restarts, but even if it exec(2)s over
>itself it can track the fd open for its socket and shouldn't have to
>rebind it.

Seems to work for me.

Note I'm not trying to use the chroot() environment, nor a jail; just a
little sandbox. (Oh, yeah: I set up /var/named as the durectory for
BIND to play with, because I have / & /sur mounted read-only.)

Cheers,
david 

-- 
David Wolfskill      dhw@whistle.com   UNIX System Administrator
Desk: 650/577-7158   TIE: 8/499-7158   Cell: 650/759-0823
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message