DNS - Changing the owner to named
I would like to run named to run under the user named. The default setting seems to run as root. I have been reading security books and they all suggest this change. In my Redhat distribution I change the init script and it works. In the named script found in /etc/init.d the named process is started by startproc. The startproc man page says to start the process with the -u and -g switch. It does run as a different user, but then named seems not to work. The named process is running, but it does not respond to queries. I can't tell at the moment if it is because startproc starts it as a user process, that is to say it does not start up as root, or what is going on. I am going to investigate it further, I just want to know if I was on the right track or if there is somewhere in the manuals that describe starting named with a user other than root and I just haven't found it. thanks edward
On Sunday 06 October 2002 00:29, Edward Cheadle wrote:
I would like to run named to run under the user named. The default setting seems to run as root. I have been reading security books and they all suggest this change. In my Redhat distribution I change the init script and it works.
In the named script found in /etc/init.d the named process is started by startproc. The startproc man page says to start the process with the -u and -g switch. It does run as a different user, but then named seems not
Which version of bind and which kernel? On a 2.2.x kernel you can't use the -u switch. I'm running bind 9 on a 2.4.20-pre kernel and use the -u switch (and -t to run it chrooted), why the -g switch? In bind9 it means to run it in the foreground and log to stderr, that's probably not what you want.
to work. The named process is running, but it does not respond to queries. I can't tell at the moment if it is because startproc starts it as a user process, that is to say it does not start up as root, or what is going on.
I am going to investigate it further, I just want to know if I was on the right track or if there is somewhere in the manuals that describe starting named with a user other than root and I just haven't found it.
In bind9 man named describes this. -- GertJan
Edward, It's probably failing when it tries to create /var/run/named.pid - named won't have permissions to write to that dir. One way around this is to create a "run" or "pid" group or similar, and allowing that group to write to /var/run, and adding named to the group. Not sure if that's the best way to go though... You might be better off making a chroot jail for it (and use the -t switch) Richard. On Sun, 2002-10-06 at 11:29, Edward Cheadle wrote:
I would like to run named to run under the user named. The default setting seems to run as root. I have been reading security books and they all suggest this change. In my Redhat distribution I change the init script and it works.
In the named script found in /etc/init.d the named process is started by startproc. The startproc man page says to start the process with the -u and -g switch. It does run as a different user, but then named seems not to work. The named process is running, but it does not respond to queries. I can't tell at the moment if it is because startproc starts it as a user process, that is to say it does not start up as root, or what is going on.
I am going to investigate it further, I just want to know if I was on the right track or if there is somewhere in the manuals that describe starting named with a user other than root and I just haven't found it.
thanks
edward
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Sun, Oct 06, 2002 at 12:20:22PM +1300, Richard Barrington wrote:
It's probably failing when it tries to create /var/run/named.pid - named won't have permissions to write to that dir.
Yes, that's a known problem with BIND9. This should be fixed in SL 8.1; bind9 should run as user named by default there. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (4)
-
Edward Cheadle
-
GertJan Spoelman
-
Olaf Kirch
-
Richard Barrington