[1995] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Chrooting bind 8.1.2 under debian 2.0

daemon@ATHENA.MIT.EDU (Jon Lewis)
Sat Jul 18 06:15:42 1998

Date: Fri, 17 Jul 1998 10:18:22 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Cougar <cougar@lost.data.ee>
cc: debian-user@lists.debian.org, linux-security@redhat.com,
  debian-isp@lists.debian.org
In-Reply-To: <Pine.LNX.3.96.980717110508.29168A-100000@lost.data.ee>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Fri, 17 Jul 1998, Cougar wrote:

> [mod: It is slightly less trivial than 'chroot("/")', but if you can
> execute arbitrary code as root, you can break out of the chrooted
> environment. --REW]
> 
> My idea is to run named non-root UID/GID. As named needs to bind port 53
> which is below 1024 there are problem to execute it. One solution is to
> rewrite named code (like httpd) another is to make the hole into the
> kernel. Both are nonstandard solutions. There are also possible to use
> 
> [mod: Patches are floating around. -- REW]

Patches?  Bind 8.1.2 has command-line options for running as non-root
UID/GID and chrooted.  It binds to port 53 before dropping root.  This is
only a problem if you have interfaces appearing/disappearing randomly that
you need named to bind to.  Most real name servers probably don't have
that problem.

[mod: Sorry about that. I scanned my online sources of bind-8.1.2 and
couldn't find those options in the 30 seconds that I was
looking. Since I remembered having seen the options, I thought it
must've been a patch floating around. -- REW]


------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Spammers will be winnuked or 
 Network Administrator       |  drawn and quartered...whichever
 Florida Digital Turnpike    |  is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post