* Jason Gunthorpe said: > > On 21 Jan 2000, Greg Stark wrote: > > > If you want to improve security you should implement a kernel interface for > > non-root users to be able to do what named does. Then propose this again. > > I think it is called linux capabilities. If someone wants to make bind > more secure arrange for it to run as nobody with bind-to-any-port > capability (or something like that) > > That is the best way to go, needs a bind patch though! Not quite that easy as of now because there's a scarce file-system support for capabilities in the kernel. Right now you'd have to write a bind bootstrap program that'd set the required capabilities or modify bind itself (not a trivial task....) > I'm not sure how a nobody running bind can write its zone cache files > though.. chown -R nobody.nobody /etc/bind but bind should run as its own user anyway. marek
Attachment:
pgpuSdq8c9BmB.pgp
Description: PGP signature