Date: Mon, 1 Jun 1998 09:58:26 -0400 (EDT) From: "Craig H. Rowland" <crowland@psionic.com> To: Ollivier Robert <roberto@keltia.freenix.fr> Cc: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named Message-ID: <Pine.LNX.3.96.980601095150.26752A-100000@dolemite.psionic.com> In-Reply-To: <19980601115112.A10806@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Version 8.x has several new options that allow securing BIND more reasonably: -t - chroot() directory -u - UID to run under after bind() -g - GID to run under after bind() I have a web page up that describes how to run BIND 8.x under a chroot() environment under OpenBSD 2.x. A lot of the information should apply to FreeBSD as well. Here is the URL: http://www.psionic.com/papers/dns.html Adam Shostack has a similar paper (mine is based off of his original article). It deals with BIND on Solaris: http://www.homeport.org/~adam/dns.html -- Craig On Mon, 1 Jun 1998, Ollivier Robert wrote: > According to Steve Reid: > > Also... Is there any reason for this daemon to run as root, other than > > binding to port 53? Would it be possible and reasonable to patch it to > > give up root after binding to the port? > > Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution > between servers are using 53 too so you'll need to bind several times on > that port. > > After loading the zone, you'll also need to write it on disk... > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 3.0-CURRENT #60: Fri May 15 21:04:22 CEST 1998 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.980601095150.26752A-100000>