Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0

[Carlos Barros <cbf@redlider.com.uy>]

On Fri, 17 Jul 1998, Cougar wrote:

  > > try changing only the line that start the bind daemon eg:
  > > 
  > > chroot /chroot-dns/ /bin/named
  > 
  > What this chroot gives You? Actually this is protection against simple
  > exec("/bin/sh") but every cracker may put chroot("/") before this and all
  > the protection is destroyed.

Maybe, but if you make a tree with only bind, no ftp access, and the
required libraries/config files, no cracker could exec no sh no chroot
etc, etc.

  > My idea is to run named non-root UID/GID. As named needs to bind port 53
  > which is below 1024 there are problem to execute it. One solution is to
  > rewrite named code (like httpd) another is to make the hole into the
  > kernel. Both are nonstandard solutions. There are also possible to use
  > some portwrapper/redir. Does anyone use some of these?

AFAIK apache start in uid 0 gid 0; bind to port 80; change  uid/gid...

it would be good for bind to do it...


Bye
    Carlos Barros.


--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null