On Mon, Apr 02, 2001 at 09:28:16AM -0700, John H. Robinson, IV wrote: > On Mon, Apr 02, 2001 at 11:42:11AM -0400, xsdg wrote: > > > if this task-harden does ANYTHING at all it must get bind running in a > > > chroot jail as named.named and not root. > > How can bind bind (no pun intended) to port 53 if it isn't root? > > you use tcpserver to listen to port 53, with then spawns tinydns or > dnscache (as required). > > tinydns and dnscache both run in a chroot jail, as a non-root user. > tcpserver.c is merely 426 lines long. all the files in the > ucspi-tcp-0.88 tarball are 9151, making it possible to do a fairly > complete audit for potential problems. my bind configuration runs in a chroot jail as a non-root user as well. as for dnscache and tcpserver they are non-free. tell me when they are free software and they can be considered. its also been said they ignore RFCs, that isn't very good code. > if you are using BIND, then you deserve what you get.[1] only if you configure them wrong, as in letting it run as root. > -john > > [1] call me hearless and cruel, but i put sendmail, bind, and wu-ftpd > all in the ``please r00t me!'' category sendmail can't be made to run non-root, neither can wu-ftpd, bind can so its risk is significantly lowered when such in done in combination with chroot. the only way to get r00ted with a properly configured bind installation is if you manage to find a way to make a fully chrooted, fully unprivileged process break out of the chroot jail and run a shell, and from there find some other local exploit. this strikes me as rather unlikly. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpEB6NQbGwYO.pgp
Description: PGP signature