[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

On Mon, Apr 02, 2001 at 11:42:11AM -0400, xsdg wrote:
> On Sun, Apr 01, 2001 at 03:33:01PM -0800, Ethan Benson wrote:
> ::snip? snip!::
> > if this task-harden does ANYTHING at all it must get bind running in a
> > chroot jail as named.named and not root.  
> How can bind bind (no pun intended) to port 53 if it isn't root?

you modify the initscript to run bind normally, with the command line

-u named -g named -t /var/named"

-t tells it to chroot() to /var/named, -u and -g named tells it to
setgid() and setuid() to user/group named AFTER it has already bound
to port 53.  once it drops privileges it cannot regain them (there is
no saved uid 0s) 

so its started as root, takes care of the privileged operations
(chroot, binding to port 53) and then drops all privileges.

this configuration obviously won't work on a dynamic IP or laptop
situation where the ip address is changing randomly, since bind binds
to each interface/address individually.  but why would you be running
a dns server on a dynamic ip or laptop.

Ethan Benson

Attachment: pgpfa220RJCFp.pgp
Description: PGP signature

Reply to: