|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: bind running as root in Mandrake 7.0
From: Elias Levy (aleph1
SECURITYFOCUS.COM)Date: Thu Jun 08 2000 - 13:40:25 CDT
- Next message: Elias Levy: "Re: [rootshell.com] Xterm DoS Attack"
- Previous message: frostmanSECUREACCESS.INTRANETS.COM: "Piranha password file"
- Next in thread: Nathan Neulinger: "Re: bind running as root in Mandrake 7.0"
- Reply: Nathan Neulinger: "Re: bind running as root in Mandrake 7.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This is a summary of the last responses in this thread. I am killing
this thread here.
Jim Knoble <jmknoblepint-stowp.cx>:
Those really interested in a secure DNS server ought to forget trying to secure BIND and use D. J. Bernstein's dnscache package instead:
Its "regular" DNS server, tinydns, runs as a non-root user in chrooted
environment by default. Read the website for more info about security,
dnscache, and BIND.
Thomas Novin <thnovthalamus.se>:
>Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root.
Slackware also as long as I can remeber. Same goes for the latest version,
7.0-current.
"Andrew L . Davis" <adavisTHREKSTUN.NET>:
> Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root.
There was a long standing discussion on this which basically boils down to the
fact that if you obtain your address dynamically or have dynamic interfaces
(some form of PPP or anything on PCMCIA) you have to run it as root in order
for bind to use these interfaces.
bind does not bind 0.0.0.0:53. It for one or another reason binds every
interface separately. Hence if an interface is not available at bind start
time and bind does not run as root the interfaces are not rebound.
So running as non-root will not work in some cases. They may be covered in any
of the listed distros but this means making bind, all dhcp-clients, pcmcia,
ppp, ad naseum depend on each other and mess with each other's init scripts.
For now I do not know of a distro that does this.
Nicolas MONNET <nicoMONNET.TO>:
Red Hat 6.0 runs named as root.root.
Red Hat 6.2 runs named as named.named
Andreas Hasenack <andreasconectiva.com.br>:
That fix also doesn't take into consideration that named can dump
some statistics files, such as named.memstat, named.stats and named_dump.db.
named follows symlinks, and therefore those files shouldn't be dumped in
a world writable directory such as /var/tmp (although we are now running as
an unprivileged user). One shoule create another directory, give the right
permissions to it and let named dump those files there.
For example, the following lines in named.conf's options section:
dump-file "/var/named/dump/named_dump.db";
statistics-file "/var/named/dump/named.stats";
memstatistics-file "/var/named/dump/named.memstats";
And make that directory so that the "named" user can create files there.
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
- Next message: Elias Levy: "Re: [rootshell.com] Xterm DoS Attack"
- Previous message: frostmanSECUREACCESS.INTRANETS.COM: "Piranha password file"
- Next in thread: Nathan Neulinger: "Re: bind running as root in Mandrake 7.0"
- Reply: Nathan Neulinger: "Re: bind running as root in Mandrake 7.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]