Date: Wed, 31 Jan 2001 23:55:18 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Message-ID: <Pine.LNX.4.30.0101312352150.3617-100000@jamus.xpert.com> In-Reply-To: <200101312123.f0VLNL134920@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-01:18 Security Advisory > > Topic: BIND remotely exploitable buffer overflow ..snip.. > > There is no known practical workaround to prevent the vulnerability > from being exploited, short of upgrading the software. A partial > workaround to limit the impact of the vulnerability should it be > exploited is to run named as an unprivileged user. > > Add the following line to /etc/rc.conf: > > named_flags="-u bind -g bind" # Flags for named > > Add the following line to your /etc/namedb/named.conf file, in the > "options" section: > > pid-file "/var/named/named.pid"; > > See the named.conf(5) manual page for more details about configuring > named. > > Perform the following commands as root: > > Create a directory writable by the bind user where named can store its > pid file: > > # mkdir /var/named > # chown bind:bind /var/named > > Use of the -t option to named will also increase security when run as > a non-privileged user by confining the named process to a chroot > environment and thereby partially limiting the access it has to the > rest of the system. Configuration of these options is beyond the > scope of the advisory. The following website contains information > which may be useful to administrators wishing to perform this step: > > http://www.losurs.org/docs/howto/Chroot-BIND.html > Why not make it default in the base system? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0101312352150.3617-100000>