Re: named as non-root?

To: Firewallers <debian-firewall@lists.debian.org>
Subject: Re: named as non-root?
From: Jim Breton <vader@conflict.net>
Date: Thu, 22 Jun 2000 15:40:38 +0000
Message-id: <[🔎] 20000622154038.F25306@conflict.net>
Mail-followup-to: Firewallers <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] 000101bfdc5d$3954ef00$0404a8c0@electra.abl.com>; from prie@abl.com on Thu, Jun 22, 2000 at 11:19:13AM -0400
References: <[🔎] 000101bfdc5d$3954ef00$0404a8c0@electra.abl.com>

On Thu, Jun 22, 2000 at 11:19:13AM -0400, Paul Tod Rieger wrote:
> On my router/firewall (2 NICs with ipmasq in between; slink/2.0.36), I run
> named as root.  I'm looking for an easy way not to.
> 
> Since the Debian system already runs Apache as www-data, I'm wondering if
> adding "-u www-data  -g www-data" to named's start up file would be an easy
> way to run it non-root.

It would be easy, and "more" secure than running as root, but you could
do better.

> http://www.psionic.com/papers/dns/dns-linux/ -- but its approach seems more
> complicated.

Yes, he describes using "holelogd" (or something like that, I haven't
read it in a while).  You won't need this because the current syslogd
(at least the one that ships with Debian) has built-in support for
listening on additional sockets.  See the syslogd man page regarding the
"-a" argument for details.  You won't need this if you just run it as a
regular user, you only need it if you decided to chroot named (with -t)
as well -- which is _highly_ recommended.

Anyway the best thing to do (imo) is use something besides BIND.  My
suggestion is "DNScache" by Dan Bernstein.  Despite its name, it's not
just a cache, it is also a DNS hosting server if you need one.  But any
way you slice it, it's light years ahead of BIND in terms of
reliability, correctness, stability, performance, resource usage, and
security.  What more could you want?  ;)

http://cr.yp.to/dnscache.html

The default installation runs as a non-root user, chrooted into a
directory with just a handful of files in it, and is immune to the
poisoning and snooping attacks to which BIND is (still) vulnerable.  And
it's remarkably easy to install and set up.

If you give it a shot and need assistance, feel free to ask me or the
"dns" list that is set up for it.

Anyway should you not decide to do that for any reason, and if you stick
with BIND, you should create an additional user ("named" or whatever)
for it.  Don't use an account that has access to any other data; should
someone crack your box via named, you wouldn't want him to also have
access to your www files.

Do use the -u and -g arguments, and create a directory with the
necessary permissions (I believe the psionic.com doc provides specifics
on a lot of this) for named to chroot itself into with the -t argument.

-- 

Jim B.
vader@conflict.net

Reply to:

References:
- named as non-root?
  - From: "Paul Tod Rieger" <prie@abl.com>

Prev by Date: Re: named as non-root?
Next by Date: Re: named as non-root?
Previous by thread: Re: named as non-root?
Next by thread: Re: named as non-root?
Index(es):
- Date
- Thread