From owner-freebsd-security  Mon Jun  1 07:59:15 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA20467
          for freebsd-security-outgoing; Mon, 1 Jun 1998 07:59:15 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from nemesis.psionic.com (nemesis.bipolar.net [209.30.119.58])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20454
          for <freebsd-security@freebsd.org>; Mon, 1 Jun 1998 07:59:09 -0700 (PDT)
          (envelope-from crowland@psionic.com)
Received: (from maildrop@localhost)
	by nemesis.psionic.com  id JAA18210;
	Mon, 1 Jun 1998 09:59:31 -0500 (CDT)
X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to <crowland@psionic.com> using -f
Received: from dolemite.bipolar.net(209.30.119.59) by nemesis via smap (V2.0)
	id xma022616; Mon, 1 Jun 98 09:59:12 -0500
Date: Mon, 1 Jun 1998 09:58:26 -0400 (EDT)
From: "Craig H. Rowland" <crowland@psionic.com>
To: Ollivier Robert <roberto@keltia.freenix.fr>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: /usr/sbin/named
In-Reply-To: <19980601115112.A10806@keltia.freenix.fr>
Message-ID: <Pine.LNX.3.96.980601095150.26752A-100000@dolemite.psionic.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Version 8.x has several new options that allow securing BIND more
reasonably:

-t - chroot() directory
-u - UID to run under after bind()
-g - GID to run under after bind()

I have a web page up that describes how to run BIND 8.x under a chroot()
environment under OpenBSD 2.x. A lot of the information should apply to
FreeBSD as well. Here is the URL:

http://www.psionic.com/papers/dns.html

Adam Shostack has a similar paper (mine is based off of his original
article). It deals with BIND on Solaris:

http://www.homeport.org/~adam/dns.html


-- Craig



On Mon, 1 Jun 1998, Ollivier Robert wrote:

> According to Steve Reid:
> > Also... Is there any reason for this daemon to run as root, other than
> > binding to port 53? Would it be possible and reasonable to patch it to
> > give up root after binding to the port? 
> 
> Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution
> between servers are using 53 too so you'll need to bind several times on
> that port.
> 
> After loading the zone, you'll also need to write it on disk...
> -- 
> Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 3.0-CURRENT #60: Fri May 15 21:04:22 CEST 1998
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message