Hi ! I am running the latest bind8 rpm package from SuSE and I want to put it into a chrooted environment with Marc's "compartment". I am wondering if it is safer if I run bind as user root, but chrooted, or if I run it normally, but as user named. Removing the caps option and adding --user named --group named does not work, because the server isn't allowed to bind to ports < 1024. So what to do ? Björn
* Björn Engels wrote on Sat, Mar 10, 2001 at 18:38 +0100:
"compartment". I am wondering if it is safer if I run bind as user root, but chrooted,
No, you'll have to combine non-root and chroot of course.
or if I run it normally, but as user named. Removing the caps option and adding --user named --group named does not work, because the server isn't allowed to bind to ports < 1024.
I run chrooted DNS server without problems as user named. You may take a look to the "Change Root" section in my german DNS HOWTO (your eMail suggests that you're able to read german). Port binding happens before dropping root privileges. Please don't forget to copy the needed files to your chroot environment (some libs, /usr/sbin/named*, /dev/null, /etc/named.conf and so on). Don't forget to add /var/named.chroot/dev/log (or wherever your chroot exists) to the SYSLOGD_PARAMETER in /etc/rc.config - otherwise syslogd won't get your log messages and you're lost :). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Running anything chrooted as root is pointless. root can break out of a chroot
in <1 second. Kriminy, securityportal has 3+ articles on securing bind, I
suggest you look at them.
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "Björn Engels"
But there is the options to named as in named -u named -g named On Sat, 10 Mar 2001, [iso-8859-1] Bj�rn Engels wrote:
Hi !
I am running the latest bind8 rpm package from SuSE and I want to put it into a chrooted environment with Marc's "compartment". I am wondering if it is safer if I run bind as user root, but chrooted, or if I run it normally, but as user named. Removing the caps option and adding --user named --group named does not work, because the server isn't allowed to bind to ports < 1024.
So what to do ?
Bj�rn
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
Björn Engels
-
Kurt Seifried
-
semat
-
Steffen Dettmer