From owner-FreeBSD-users-jp@jp.freebsd.org  Fri Dec  1 15:53:39 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id PAA62821;
	Fri, 1 Dec 2000 15:53:39 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from imgex.imagica.co.jp (imgex.imagica.co.jp [157.119.17.2])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id PAA62815
	for <FreeBSD-users-jp@jp.freebsd.org>; Fri, 1 Dec 2000 15:53:38 +0900 (JST)
	(envelope-from mino@bb.imagica.co.jp)
Received: from ns1.bb.imagica.co.jp (mailhub1.bb.imagica.co.jp [172.16.16.2]) by imgex.imagica.co.jp (8.8.8/3.5Wpl7-IMAGICA-R3.3.3.2) with ESMTP id PAA09748 for <FreeBSD-users-jp@jp.freebsd.org>; Fri, 1 Dec 2000 15:53:37 +0900 (JST)
Received: from serv1.hq.imagica.co.jp (mino@serv1.hq.imagica.co.jp [157.119.144.2]) by ns1.bb.imagica.co.jp (8.8.8/3.5Wpl7-cx-3.0.4) with ESMTP id PAA12248 for <FreeBSD-users-jp@jp.freebsd.org>; Fri, 1 Dec 2000 15:52:22 +0900 (JST)
Received: by serv1.hq.imagica.co.jp (8.8.8/3.5Wpl7-hq-3.4) id PAA07091 for FreeBSD-users-jp@jp.freebsd.org; Fri, 1 Dec 2000 15:52:21 +0900 (JST)
Date: Fri, 1 Dec 2000 15:52:21 +0900 (JST)
From: Minoru Oikawa <mino@bb.imagica.co.jp>
Message-Id: <200012010652.PAA07091@serv1.hq.imagica.co.jp>
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: FreeBSD-users-jp@jp.freebsd.org
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: FreeBSD-users-jp 57174
Subject: [FreeBSD-users-jp 57174] Re: sandbox
 =?ISO-2022-JP?B?GyRCJE4wVUwjJEskRCQkJEYbKEI=?= 
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: mino@bb.imagica.co.jp

 $B$d$"!"$3$s$K$A$O!#%_%N%k$*7;$5$s$@$h!#(B
 $B%r%d%8$C$F8F$s$8$c%^%a(B! $BE\$j$^$/$C$F(B SYN attack $B$H$+$9$k$+(B
$B$b$7$l$J$$$h!#$&$=!#(B

> Date: Fri, 01 Dec 2000 10:34:14 +0900
> From: Takeshi Nishioka <ml@tokyo-club.com>
> Message-Id: <20001201101756.FD5A.ML@tokyo-club.com>

> sandbox$B$O!"(BR&D$BItLg$N?M4V$O!"CN$C$F$*$/$Y$-Ev$?$jA0$NC18l$H$7$+M}2r$G$-$^(B
> $B$;$s$G$7$?!&!&!&!#6qBNE*$J0UL#$O!"=q$$$F$$$J$$$h$&$J5$$,$9$k$N$G$9$,!#(B

 $B%?%1%7$/$s$O!"%j%s%/$5$l$F$$$k$N$bA4ItC)$C$FFI$s$@$+$J!<(B
 $B$"$l$O!V$8$g!<$/!W$H$$$&$b$N$J$N$G!"A4ItFI$`$H!V$O$O!<$s!W$C(B
$B$FM}2r$KC#$9$k%b%N$J$s$@(B!
 $B$"$l$r=q$$$?%R%H$K$H$C$F$O!"$:$P$j$rJ8;z$K$9$k$N$O2<IJ$J$3(B
$B$H$@$C$?$s$@$M(B! $B%_%N%k$*7;$5$s$b$=$s$J$N$O2<IJ$@$H;W$C$?!#(B

 $B!V$O$O!<$s!W$,Mh$J$$$*$H$b$@$A$b5o$?$+$J(B? $B$=$&$$$&$*$H$b$@(B
$B$A$O!"$b$&!VA[A|NO!W$H$$$&G>$N$O$?$i$-$,5!G=$7$F$J$$$N$G!"$*(B
$BJl$5$s$KIB1!$K$D$l$F$$$C$F$b$i$*$&(B!

 $B$h$U$+$7$7$F;`BN$K6a$/$J$C$F$k$H$-$K$O!"%"%8%c%s%?$N%+%l!<(B
$B$r?)$Y$F$+$i$b$&$$$A$IFI$`$H!V$O$O!<$s!W$,Mh$k;v$,M-$k$h(B!

 $B%?%1%7$/$s$O!"K\Ev$O(B sandbox $B$NK\Mh$N0UL#$O$I$&$G$b$$$$$7!"(B
$B%9%i%s%0$N2r@b$bM_$7$/$J$+$C$?$s$@$h$M(B?
 $B%[%s%H%&$KCN$j$?$+$C$?$N$O(B named $B$r$I$&$$$&$U$&$KF0$+$9$N$,(B
$BAGE($+!"$C$F$3$H$@$C$?$s$@$h$M(B? $B$8$c$!!"$=$&$$$&$U$&$KJ9$$$F(B
$B$$$3$&%M(B!

-!-

> /etc/namedb/named.conf $B$K$O!"2<5-$N5-:\$,$"$j$^$9!#(B
> 
> // NOTE!!! FreeBSD runs bind in a sandbox (see named_flags in rc.conf).
> // The directory containing the secondary zones must be write accessible

 $B$3$l$b!V$8$g!<$/!W$@$H;W$C$FFI$`$H!"2?$r8@$$$?$$$N$+$,H=$k(B
$B$C$F%9%s%]%&$5$M!#$(!<$$?h$J$b$s$@$M$'9>8M$C;R$G$$(B!

# $B$J$K$,8@$$$?$$$N$+$o$+$i$s$J(B

-!-

 $B$(!<$H!"DL>o%b!<%I$KI|5"!#$*$$$+$o(B%$BJI$N%R%H(B@IMAGICA $B$G$9!#(B

 $B$U$D$&!"(Bnamed $B$O!"$C$F$$$&$+(B httpd $B$b(B squid $B$b(B chroot(2) $B$7(B
$B$FF0$+$9$b$N$8$c$"$j$^$;$s(B?

 BIND8 $B$+$i$O(B -t $B$b(B -g,-u $B$b$"$k$N$G!"(Bchroot(2) $B$9$k$H$$$C$F(B
$B$b<j4V$O%*%W%7%g%s5-=R$@$1$J$N$G$A$c$C$A$c$HA4It$d$C$A$c$$$^(B
$B$;$s$+(B?

 $BJI$N%R%H$J$N$GFC<l$J$N$+$J$!!#JI$K0O$o$l$?FbB&$G$bB>?M$K$$(B
$B$?$E$i$5$l$A$c$&$N$O%$%d!<%s!"$J$s$@$1$I!#(B

 $B$G!"(B-u -g $B$C$F(B FreeBSD $BFH<+(B? $B0c$&$h$M$'!#(B
 $B$@$+$i!">P$&$H$3$J$s$@$C$F$P!#(B

 $B$=$l$+$i!"(B-t $B$7$F$J$/$F!"K|$,0l!"7j$+$i$OF~$j9~$^$l$F$J$s$G(B
$B$b$G$-$k;~!"(B-u bind -g bind $B$J$N$K(B chown bind.bind $B$C$F!D(B
 $B$=$j$c(B /etc/namedb/s $B$N2<$O=q49$(J|Bj$G$9$J!#(Bsandbox == $B3V(B
$B@d$5$l$?4D6-!"$K$J$C$F$8$c$J$$$8$c$s!#3V@d$7$F$J$$$s$@$b$s!#(B
 $B$@$+$i!"$3$3!">P$&$H$3$J$s$@$C$F$P!#(B

 $B$@!<$+!<$i!<!">P$C$FM_$7$$$N$C(B!

# $B>P$($J$$Dx$F$s$Q$C$F$^$9(B?

--- mino
