Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0

To: cougar@lost.data.ee (Cougar)
Cc: cbf@redlider.com.uy, cfb@ocn21.kdd-ok.ne.jp, debian-user@lists.debian.org, linux-security@redhat.com, debian-isp@lists.debian.org
Subject: Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
From: Wolfgang Ley <ley@cert.dfn.de>
Date: Fri, 17 Jul 1998 13:58:36 +0200 (MET DST)
Message-id: <[🔎] 199807171158.NAA03953@tiger.cert.dfn.de>
In-reply-to: <[🔎] Pine.LNX.3.96.980717110508.29168A-100000@lost.data.ee> from "Cougar" at Jul 17, 98 11:30:32 am

-----BEGIN PGP SIGNED MESSAGE-----

Cougar wrote:
>
> On Tue, 14 Jul 1998, Carlos Barros wrote:
>
> > On Tue, 14 Jul 1998, cfb wrote:
> >
> >   > The main problem seems to be with the way that debian starts bind using
> >   > the script /etc/init.d/bind.  I thought it would be really neat to just
> >   > change the #!/bin/sh at the top of the script to something like :
> >   >    #!/usr/sbin/chroot /chroot-dns/ /bin/sh
> >   > or
> >   >    #!/usr/sbin/chroot /chroot-dns/ /chroot-dns/bin/sh
> >
> >
> > try changing only the line that start the bind daemon eg:
> >
> > chroot /chroot-dns/ /bin/named
>
> What this chroot gives You? Actually this is protection against simple
> exec("/bin/sh") but every cracker may put chroot("/") before this and all
> the protection is destroyed.
>
> [mod: It is slightly less trivial than 'chroot("/")', but if you can
> execute arbitrary code as root, you can break out of the chrooted
> environment. --REW]
>
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
> some portwrapper/redir. Does anyone use some of these?
>
> [mod: Patches are floating around. -- REW]

Why are linux users always trying to patch software without rechecking
with the author first?
See the "-u" (uid) and "-g" (gid) flags of named 8.1.2 (as described in
the README and INSTALL files). Also note the "-t" flag to specify the
chroot-dir...

Bye,
  Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAwUBNa88W8vEMj/EqWIlAQGRAggAmXUgnzJGCCc4iNG8sOpDlsf256ZoMeBC
E4XqDWjAe1zwyjL2XvMnA5lbA6GX+s7Gi0wTPlOTR3e6VPBNLqt5n5c0xDjTQAcz
00sNSrv/9jJXTPSNA12fbcLPzkMUMvakF1l1hpXPycjua5dvV0gFaYKA1X6Ht2Pq
AY0USXfk4zk0i+bdGXflCE+N6HHjZa/+Rw9szZIwWGmjKXDGi7jBoepWXVU+WwGh
HGrWtL2ty5YipK0hOdMuUhCsrLVMMAkTrZoX2f797O/K5Al1BH6QgQc9YnYsV+ft
JQ1uu5dvLykvkp74LOAoiqHwbHTn6t2vWvxg0Ix61prVq4AjN81bAw==
=Pbgc
-----END PGP SIGNATURE-----


--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

References:
- Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
  - From: Cougar <cougar@lost.data.ee>

Prev by Date: setting dynamic rxvt titles with Xresoures/Xdefaults
Next by Date: Cross-compile to Windows NT
Previous by thread: Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
Next by thread: Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
Index(es):
- Date
- Thread