From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 24 08:38:44 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1002D16A4CE
	for <questions@freebsd.org>; Fri, 24 Sep 2004 08:38:44 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 3ABF143D2D
	for <questions@freebsd.org>; Fri, 24 Sep 2004 08:38:43 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i8O8cejf009135
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 24 Sep 2004 09:38:40 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i8O8ceCb009134;
	Fri, 24 Sep 2004 09:38:40 +0100 (BST)	(envelope-from matthew)
Date: Fri, 24 Sep 2004 09:38:40 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Robert Huff <roberthuff@rcn.com>
Message-ID: <20040924083840.GE8309@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Robert Huff <roberthuff@rcn.com>, questions@freebsd.org
References: <16723.14911.322906.824692@jerusalem.litteratus.org>
	<20040923212837.GA876@happy-idiot-talk.infracaninophile.co.uk>
	<16723.38380.9533.249086@jerusalem.litteratus.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="0hHDr/TIsw4o3iPK"
Content-Disposition: inline
In-Reply-To: <16723.38380.9533.249086@jerusalem.litteratus.org>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 24 Sep 2004 09:38:40 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: questions@freebsd.org
Subject: Re: Speaking of Bind: installworld changed directory owner
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2004 08:38:44 -0000


--0hHDr/TIsw4o3iPK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 23, 2004 at 11:35:08PM -0400, Robert Huff wrote:
>=20
> Matthew Seaman writes:
>=20
> >  Why do you think /etc/namedb should be owned by the bind user?
>=20
> 	Because I read - not sure where, might have been the O'Reilly
> book - a) the first step in securing bind is running as !root
> (i.e. user "bind") and b) the bind directory needs to be owned by
> that user.
> 	Now maybe I'm mis-remembering, or mis-read in the first place
> ... but I'm not pulling this out of thin air.

Certainly running bind as a non root user is essential, as is clearly
stated in the O'Reilly DNS and Bind book.  However I can't see any
specific instructions on what ownership and permissions that directory
should have, although I don't claim to have managed to make a thorough
search through that book this morning.
=20
I'd tend to think about these things in terms of 'least privilege'.
If someone can subvert your bind process by some sort of buffer
overflow exploit (say), then what damage can they do?  You can assume
that they've got a process with all of the credentials of the bind
user.  That means they can write to any files that the bind user can
write to, or read anything which bind has read permission on.  Using
the chroot features of bind and setting file ownerships and
permissions carefully will minimise your exposure.
=20
        Cheers,
=20
        Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--0hHDr/TIsw4o3iPK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBU90QiD657aJF7eIRAi93AJ44wOhO4FpVxjZIsAXz4Ud2xO3+JgCgmLFk
aolD/JtMOUnQGPSVE1/POLc=
=nSna
-----END PGP SIGNATURE-----

--0hHDr/TIsw4o3iPK--