Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
On Fri, 17 Jul 1998, Cougar wrote:
> > try changing only the line that start the bind daemon eg:
> >
> > chroot /chroot-dns/ /bin/named
>
> What this chroot gives You? Actually this is protection against simple
> exec("/bin/sh") but every cracker may put chroot("/") before this and all
> the protection is destroyed.
Maybe, but if you make a tree with only bind, no ftp access, and the
required libraries/config files, no cracker could exec no sh no chroot
etc, etc.
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
> some portwrapper/redir. Does anyone use some of these?
AFAIK apache start in uid 0 gid 0; bind to port 80; change uid/gid...
it would be good for bind to do it...
Bye
Carlos Barros.
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: