On Mon, Feb 10, 2003 at 02:18:40PM +0100, Russell Coker wrote: > On Sun, 9 Feb 2003 21:12, Jeffrey Taylor wrote: > > It has been possible since BIND 8.x to run it non-root. I did it on > > my main machine (non-Debian). It took a little fiddling with > > permissions and ownership so it could read & write the configuration > > and zone files. Figure an hour to get it to work. I should invest > > another hour to improve the solution. I now think it can be done more > > securely. > > I've been running BIND non-root for many years, I think I even had 4.x running > non-root. > > I used the authbind package to allow binding to port 53 as non-root and needed > a few modifications to /etc/init.d/bind and some permissions of some files. > It wasn't too difficult. > > Bind9 manages it's own security by dropping capabilities and does not work > with authbind. Yep, I didn't explicitly mention it, but bind9 is running as the 'bind' user. I can't ever remember if this is the default or not, but it's working just fine as a caching name server and as the authoritative server for my house :) -- Rob Weir <rweir@ertius.org> http://ertius.org/
Attachment:
pgpxag9ymQ00Q.pgp
Description: PGP signature