[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
- From: Jon Lewis <jlewis inorganic5 fdt net>
- To: Cougar <cougar lost data ee>
- Cc: debian-user lists debian org, linux-security redhat com, debian-isp lists debian org
- Subject: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
- Date: Fri, 17 Jul 1998 10:18:22 -0400 (EDT)
On Fri, 17 Jul 1998, Cougar wrote:
> [mod: It is slightly less trivial than 'chroot("/")', but if you can
> execute arbitrary code as root, you can break out of the chrooted
> environment. --REW]
>
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
>
> [mod: Patches are floating around. -- REW]
Patches? Bind 8.1.2 has command-line options for running as non-root
UID/GID and chrooted. It binds to port 53 before dropping root. This is
only a problem if you have interfaces appearing/disappearing randomly that
you need named to bind to. Most real name servers probably don't have
that problem.
[mod: Sorry about that. I scanned my online sources of bind-8.1.2 and
couldn't find those options in the 30 seconds that I was
looking. Since I remembered having seen the options, I thought it
must've been a patch floating around. -- REW]
------------------------------------------------------------------
Jon Lewis <jlewis fdt net> | Spammers will be winnuked or
Network Administrator | drawn and quartered...whichever
Florida Digital Turnpike | is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]