Re: [linux-security] Re: Chrooting bind 8.1.2 under debian 2.0
On Fri, 17 Jul 1998, Cougar wrote:
> [mod: It is slightly less trivial than 'chroot("/")', but if you can
> execute arbitrary code as root, you can break out of the chrooted
> environment. --REW]
>
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
>
> [mod: Patches are floating around. -- REW]
Patches? Bind 8.1.2 has command-line options for running as non-root
UID/GID and chrooted. It binds to port 53 before dropping root. This is
only a problem if you have interfaces appearing/disappearing randomly that
you need named to bind to. Most real name servers probably don't have
that problem.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
Network Administrator | drawn and quartered...whichever
Florida Digital Turnpike | is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: