Re: Whom the BIND newest vulnerability concerns?
On Mon, 15 Nov 1999 at 19:55:12 +0100, Russell Coker wrote:
> >I ended so far removing options --pidfile /var/run/named.pid
> >from /etc/init.d/bind
> >which, I _think_, will be safier than giving write permission for group
> >"daemon" to /var/run
>
> What is the danger in giving group daemon write access to /var/run?
Probably I was too paranoid :-) .
> Programs running with group daemon used to run as root! A program that many
> people trust enough to run as root is a program that I usually trust enough
> to give write access to /var/run.
You're right.
> Also with the sticky bit on /var/run they can't delete each other's pid files
> so if such a program is compromised it can't interfere with a running daemon.
Theoritically, there could be some DoS-type interference - when one
program would create a pid-file normally used by another program.
But - as you pointed out - they usually run as root so they could do
bigger damages if they were compromised, anyway.
You convinced me! Thank you for the solution :-) .
If I don't hear about better way, I'll stay with this one.
Best wishes
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
Reply to: