Running BIND in a Sandbox
As you saw in Chapter 27, “Configuring an FTP Server,” it’s often advisable (for security purposes) to run certain services within what’s known as a sandbox, or a directory structure that’s been pruned off so as to appear that it’s all that exists in the filesystem. In FTP, this is known as a chroot jail; the effective “root” of the filesystem is changed so that the server and the processes it creates cannot see outside their own directory structure above a certain point. BIND provides the same kind of capability, although most of the documentation refers to it as a “sandbox” rather than as a “chroot jail.” The concept is the same, however.
FreeBSD runs named in a sandbox by default. (This is a precaution that was taken ...
Get FreeBSD6 Unleashed now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.