On Mon, Apr 02, 2001 at 11:42:11AM -0400, xsdg wrote: > On Sun, Apr 01, 2001 at 03:33:01PM -0800, Ethan Benson wrote: > ::snip? snip!:: > > if this task-harden does ANYTHING at all it must get bind running in a > > chroot jail as named.named and not root. > How can bind bind (no pun intended) to port 53 if it isn't root? you modify the initscript to run bind normally, with the command line switches: -u named -g named -t /var/named" -t tells it to chroot() to /var/named, -u and -g named tells it to setgid() and setuid() to user/group named AFTER it has already bound to port 53. once it drops privileges it cannot regain them (there is no saved uid 0s) so its started as root, takes care of the privileged operations (chroot, binding to port 53) and then drops all privileges. this configuration obviously won't work on a dynamic IP or laptop situation where the ip address is changing randomly, since bind binds to each interface/address individually. but why would you be running a dns server on a dynamic ip or laptop. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpWO_T94VTs9.pgp
Description: PGP signature