Re: Task harden.

To: debian-devel@lists.debian.org
Subject: Re: Task harden.
From: "John H. Robinson, IV" <jhriv@ucsd.edu>
Date: Mon, 2 Apr 2001 09:28:16 -0700
Message-id: <[🔎] 20010402092816.A17593@ucsd.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010402114211.A26810@216.254.117.126>; from xsdg@softhome.net on Mon, Apr 02, 2001 at 11:42:11AM -0400
References: <[🔎] 20010401222607.A3570@diamond.opal.dhs.org> <[🔎] 20010401153301.Y909@plato.local.lan> <[🔎] 20010402114211.A26810@216.254.117.126>

On Mon, Apr 02, 2001 at 11:42:11AM -0400, xsdg wrote:
> > if this task-harden does ANYTHING at all it must get bind running in a
> > chroot jail as named.named and not root.  
> How can bind bind (no pun intended) to port 53 if it isn't root?

you use tcpserver to listen to port 53, with then spawns tinydns or
dnscache (as required).

tinydns and dnscache both run in a chroot jail, as a non-root user.
tcpserver.c is merely 426 lines long. all the files in the
ucspi-tcp-0.88 tarball are 9151, making it possible to do a fairly
complete audit for potential problems.

if you are using BIND, then you deserve what you get.[1]

-john

[1] call me hearless and cruel, but i put sendmail, bind, and wu-ftpd
    all in the ``please r00t me!'' category

Reply to:

Follow-Ups:
- Re: Task harden.
  - From: Ethan Benson <erbenson@alaska.net>

References:
- Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Re: Task harden.
  - From: Ethan Benson <erbenson@alaska.net>
- Re: Task harden.
  - From: xsdg <xsdg@softhome.net>

Prev by Date: Re: RFC: new update-inetd
Next by Date: Re: Task harden.
Previous by thread: Re: Task harden.
Next by thread: Re: Task harden.
Index(es):
- Date
- Thread