Re: bind running as root in Mandrake 7.0
On Mon, 5 Jun 2000, Tim Haynes wrote:
> On Mon, Jun 05, 2000 at 01:33:33PM +0000, Nick Phillips wrote:
> > Michael Stone wrote:
> >
> > > And I still think this is a stupid reason for us to be allowing a security
> > > problem to sit around--how many people run dns servers on machines with
> > > dynamic addresses?
> >
> > Loads. How many people use IP masq to let their bunch of Win98 clients share
> > their net connection? How many ISPs give static IPs? QED.
> >
> > It should probably be an install-time option.
>
> Erm... 'usepeerdns' and stuff...
>
> Another thought to throw into the fray.. What was that package that asks you
> for your local & external interfaces, then goes and ballses up a default
> firewall for you? ... Maybe some integration there could be fun.
>
> How many people wanting to run bind need it listening on their ppp0 interface,
> which comes & goes merrily with dialups, rather than their eth0s and let the
> outgoing forwarded requests get masqueraded?
>
> Just my $0.01..
>
> ~Tim
You got it exactly right, there is no reason why anyone should be
listening on a dynamic IP address. If it's gonna change so much, then how
will people be able to find it ?
If it's about DHCP, then 'just' start that first before you startup bind.
Does DHCP also have something like a ppp-up script ? I think you can
specify that right ?
There is _no_ reason why any1 should do a DNS query on a PPP dialup. If
someone really needs it (static IP over ppp ?), make it so in ppp-up
(restart bind ? or is reload enough ?).
As long it's named.named, it really is very important. There are just too
many things in bind, that went wrong in the past.
My 2 cents.
-------------------------------------
New things are always on the horizon.
> --
> | Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
> | w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
> | So shine on, harvest moon, | http://piglet.is.dreaming.org/
> | Cast your might on the ripening corn | piglet@glutinous.custard.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: