[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0

On Fri, 17 Jul 1998, Carlos Barros wrote:

> On Fri, 17 Jul 1998, Cougar wrote:
> 
>   > > try changing only the line that start the bind daemon eg:
>   > > 
>   > > chroot /chroot-dns/ /bin/named
>   > 
>   > What this chroot gives You? Actually this is protection against simple
>   > exec("/bin/sh") but every cracker may put chroot("/") before this and all
>   > the protection is destroyed.
> 
> Maybe, but if you make a tree with only bind, no ftp access, and the
> required libraries/config files, no cracker could exec no sh no chroot
> etc, etc.

I didn't mean shell's chroot command but chroot(2) system command. You
can't block it if the code runs under root id.

>   > My idea is to run named non-root UID/GID. As named needs to bind port 53
>   > which is below 1024 there are problem to execute it. One solution is to
>   > rewrite named code (like httpd) another is to make the hole into the
>   > kernel. Both are nonstandard solutions. There are also possible to use
>   > some portwrapper/redir. Does anyone use some of these?
> 
> AFAIK apache start in uid 0 gid 0; bind to port 80; change  uid/gid...
> 
> it would be good for bind to do it...

Appeared that bind8 can do this.

---
Cougar


--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: