Bugtraq mailing list archives
Re: bind running as root in Mandrake 7.0
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 8 Jun 2000 11:40:25 -0700
This is a summary of the last responses in this thread. I am killing this thread here. Jim Knoble <jmknoble () pint-stowp cx>: Those really interested in a secure DNS server ought to forget trying to secure BIND and use D. J. Bernstein's dnscache package instead: http://cr.yp.to/dnscache.html Its "regular" DNS server, tinydns, runs as a non-root user in chrooted environment by default. Read the website for more info about security, dnscache, and BIND. Thomas Novin <thnov () thalamus se>:
Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root.
Slackware also as long as I can remeber. Same goes for the latest version, 7.0-current. "Andrew L . Davis" <adavis () THREKSTUN NET>:
Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root.
There was a long standing discussion on this which basically boils down to the fact that if you obtain your address dynamically or have dynamic interfaces (some form of PPP or anything on PCMCIA) you have to run it as root in order for bind to use these interfaces. bind does not bind 0.0.0.0:53. It for one or another reason binds every interface separately. Hence if an interface is not available at bind start time and bind does not run as root the interfaces are not rebound. So running as non-root will not work in some cases. They may be covered in any of the listed distros but this means making bind, all dhcp-clients, pcmcia, ppp, ad naseum depend on each other and mess with each other's init scripts. For now I do not know of a distro that does this. Nicolas MONNET <nico () MONNET TO>: Red Hat 6.0 runs named as root.root. Red Hat 6.2 runs named as named.named Andreas Hasenack <andreas () conectiva com br>: That fix also doesn't take into consideration that named can dump some statistics files, such as named.memstat, named.stats and named_dump.db. named follows symlinks, and therefore those files shouldn't be dumped in a world writable directory such as /var/tmp (although we are now running as an unprivileged user). One shoule create another directory, give the right permissions to it and let named dump those files there. For example, the following lines in named.conf's options section: dump-file "/var/named/dump/named_dump.db"; statistics-file "/var/named/dump/named.stats"; memstatistics-file "/var/named/dump/named.memstats"; And make that directory so that the "named" user can create files there. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Ryan Russell (Jun 01)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Christopher Schulte (Jun 02)
- bind running as root in Mandrake 7.0 Nicolas MONNET (Jun 03)
- Re: bind running as root in Mandrake 7.0 Brock Sides (Jun 03)
- Re: bind running as root in Mandrake 7.0 White Vampire (Jun 03)
- Re: bind running as root in Mandrake 7.0 Andrew L . Davis (Jun 04)
- Re: bind running as root in Mandrake 7.0 Elias Levy (Jun 08)
- Circumventing Outlook Security Update File Download Security With IFRAMEs cassius () HUSHMAIL COM (Jun 09)
- Re: bind running as root in Mandrake 7.0 Nathan Neulinger (Jun 11)
- Remote DoS for Mercur 3.2 |[TDP]| (Jun 13)
- Vulnerability in Solaris ufsrestore Job de Haas (Jun 14)
- <Possible follow-ups>
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Christopher Schulte (Jun 02)