[21492] in bugtraq
Re: Bug#104182: bind: Bind daemon run as root (needless)
daemon@ATHENA.MIT.EDU (Foldi Tamas)
Sun Jul 15 23:40:39 2001
From: Foldi Tamas <crow@kapu.hu>
To: bugtraq@securityfocus.com
In-Reply-To: <87u20kmx7m.fsf@rover.gag.com>
Content-Type: text/plain
Date: 11 Jul 2001 14:44:12 +0200
Message-Id: <994855453.1221.3.camel@DarkSun>
Mime-Version: 1.0
On 10 Jul 2001 12:54:21 -0600, Bdale Garbee wrote:
> crow@kapu.hu writes:
> > The bind daemon run as root, but it should run as ...
>
> You obviously have neither read /usr/share/doc/bind/README.Debian nor looked
> at the existing bug reports against bind in the Debian bug tracking system.
We read the following line in the debian bug tracking system:
#50013: bind: bind should not run as root.
Package: bind; Severity: wishlist; Reported by: Pierre Blanchet
<blanchet@cvf.fr>; merged with #52745, #53550; 1 year and 242 days old.
Hmm, it looks like, debian doesn't want run bind daemon as
non-privilgezed user. It's very dangerous, because when there is a bug
in program (not impossible:), the attacker can break out of chroot, and
can spawn a rootshell.
In the other distros it's run as 'named' user, so the attacker can't
break out chroot, can't mknod, doesn't get rootshell, etc. Nice feature,
if it is used.
But in debian, this is not so simple. If the SERVER have usb and PCMCIA
network device driver, when new interface connected to linux, user
needn't restart bind, because it's run as root, so can detect and bind
port on new interface.
In this point, we think security is more important than comfort (and the
bind developed for the server environment). If we think bad - so the
comfort is the first - the debian maintainers should have any idea (they
had 1 year and 242 days so far:) to solve the problem. For example put
the bind restart script into PCMCIA's cardmgr and/or USB's usbmgr
scripts (they are run as root).
Dear maintainer, at least put a simple script into deb package, which
ask on install, should the deamon run as root or not.
Best regards,
Foldi Ur, Megyer Ur
> Reprioritizing as wishlist and merging with the other requests of similar
> nature.
>
> Bdale
--
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477
