Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
-----BEGIN PGP SIGNED MESSAGE-----
Cougar wrote:
>
> On Tue, 14 Jul 1998, Carlos Barros wrote:
>
> > On Tue, 14 Jul 1998, cfb wrote:
> >
> > > The main problem seems to be with the way that debian starts bind using
> > > the script /etc/init.d/bind. I thought it would be really neat to just
> > > change the #!/bin/sh at the top of the script to something like :
> > > #!/usr/sbin/chroot /chroot-dns/ /bin/sh
> > > or
> > > #!/usr/sbin/chroot /chroot-dns/ /chroot-dns/bin/sh
> >
> >
> > try changing only the line that start the bind daemon eg:
> >
> > chroot /chroot-dns/ /bin/named
>
> What this chroot gives You? Actually this is protection against simple
> exec("/bin/sh") but every cracker may put chroot("/") before this and all
> the protection is destroyed.
>
> [mod: It is slightly less trivial than 'chroot("/")', but if you can
> execute arbitrary code as root, you can break out of the chrooted
> environment. --REW]
>
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
> some portwrapper/redir. Does anyone use some of these?
>
> [mod: Patches are floating around. -- REW]
Why are linux users always trying to patch software without rechecking
with the author first?
See the "-u" (uid) and "-g" (gid) flags of named 8.1.2 (as described in
the README and INSTALL files). Also note the "-t" flag to specify the
chroot-dir...
Bye,
Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/ ...have a nice day
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQEVAwUBNa88W8vEMj/EqWIlAQGRAggAmXUgnzJGCCc4iNG8sOpDlsf256ZoMeBC
E4XqDWjAe1zwyjL2XvMnA5lbA6GX+s7Gi0wTPlOTR3e6VPBNLqt5n5c0xDjTQAcz
00sNSrv/9jJXTPSNA12fbcLPzkMUMvakF1l1hpXPycjua5dvV0gFaYKA1X6Ht2Pq
AY0USXfk4zk0i+bdGXflCE+N6HHjZa/+Rw9szZIwWGmjKXDGi7jBoepWXVU+WwGh
HGrWtL2ty5YipK0hOdMuUhCsrLVMMAkTrZoX2f797O/K5Al1BH6QgQc9YnYsV+ft
JQ1uu5dvLykvkp74LOAoiqHwbHTn6t2vWvxg0Ix61prVq4AjN81bAw==
=Pbgc
-----END PGP SIGNATURE-----
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: