From nobody@www.freebsd.org  Sat Jun 15 16:33:04 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 91F1737B40C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Jun 2002 16:33:03 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5FNX3hG098178
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Jun 2002 16:33:03 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5FNX3aS098177;
	Sat, 15 Jun 2002 16:33:03 -0700 (PDT)
Message-Id: <200206152333.g5FNX3aS098177@www.freebsd.org>
Date: Sat, 15 Jun 2002 16:33:03 -0700 (PDT)
From: Brett Glass <brett@lariat.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Sandboxing BIND difficult and error-prone
X-Send-Pr-Version: www-1.0

>Number:         39355
>Category:       bin
>Synopsis:       Sandboxing BIND difficult and error-prone
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 15 16:40:01 PDT 2002
>Closed-Date:    Sat Jun 15 23:38:38 PDT 2002
>Last-Modified:  Sat Jun 15 23:38:38 PDT 2002
>Originator:     Brett Glass
>Release:        All recent releases
>Organization:
>Environment:
>Description:
The procedure for sandboxing BIND, as listed in the FreeBSD Handbook, requires files to be moved, permissions to be changed, directories to be created, configuration changes to be made.... All by hand. There are more than 20 steps to perform on 4.x out of the box, all fraught with potential errors.


>How-To-Repeat:
I can never repeat the problem exactly, because I make a different typo every time. ;-)
>Fix:
Ideally, the default install would be set up so that BIND was sandboxed from the get-go, or (at least) so that one could throw a switch in rc.conf to make it happen. Who maintains the BIND that's bundled with FreeBSD? Can we make this happen?
>Release-Note:
>Audit-Trail:

From: "."@babolo.ru
To: brett@lariat.org (Brett Glass)
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/39355: Sandboxing BIND difficult and error-prone
Date: Sun, 16 Jun 2002 05:44:07 +0400 (MSD)

 Brett Glass writes:
 > >Number:         39355
 > >Category:       bin
 > >Synopsis:       Sandboxing BIND difficult and error-prone
 > >Originator:     Brett Glass
 > >Release:        All recent releases
 > >Organization:
 > >Environment:
 > >Description:
 > The procedure for sandboxing BIND, as listed in the FreeBSD Handbook, requires files to be moved, permissions to be changed, directories to be created, configuration changes to be made.... All by hand. There are more than 20 steps to perform on 4.x out of the box, all fraught with potential errors.
 > 
 > 
 > >How-To-Repeat:
 > I can never repeat the problem exactly, because I make a different typo every time. ;-)
 > >Fix:
 > Ideally, the default install would be set up so that BIND was sandboxed from the get-go, or (at least) so that one could throw a switch in rc.conf to make it happen. Who maintains the BIND that's bundled with FreeBSD? Can we make this happen?
 
 See PR/38593 with fix
 
 -- 
 @BABOLO      http://links.ru/
State-Changed-From-To: open->closed 
State-Changed-By: dougb 
State-Changed-When: Sat Jun 15 23:36:52 PDT 2002 
State-Changed-Why:  

This isn't even close to a PR, it's a wishlist. Several of 
us have a few ideas on how to accomplish this, but it's 
waiting on us having the time to finish. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39355 
>Unformatted:
