Date: Mon, 6 Mar 2000 18:06:34 +0200 From: Valentin Nechayev <netch@lucky.net> To: Igor Roshchin <igor@physics.uiuc.edu> Cc: security@FreeBSD.ORG Subject: Re: named started by any user will be running until killed... Message-ID: <20000306180634.A27970@lucky.net> In-Reply-To: <200003060858.CAA07208@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Mar 06, 2000 at 02:58:06AM -0600 References: <200003060858.CAA07208@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Igor Roshchin! Mon, Mar 06, 2000 at 02:58:06, igor wrote: > I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE > box started the named server (by a mistake). [skip] > These messages were repeated in the syslog every hour until the named > was manually killed. > I am not sure if this created any problems for the system, > at least, I didn't see any obvious slowdown, or resource exhaustion, > but I would think there should be mechanism which would allow > to prevent such accidents. > Obviously, it can be done using "jail" and FreeBSD 4.x, > but even in FBSD-3.x there should be some way preventing users > from running system daemons. There is nothing bad when a user can run bind. There is nothing bad when this user can run bind at its own port according to limitations *and system policy*. There is nothing bad when ordinary user failed to use port 53. The main (and imho single) *great* evil that ordinary user can contaminate system log with messages from its own program. [skip] > 2. Making the file owned by "bind" (or nobody in case of httpd), User can get named program from another host. Do you will set noexec flag to partition with his (her) home? > Just recently I was thinking if there should be some general > way of restricting daemons being run by users (on any port). The enough restriction is to deny port binding by such user. -- NVA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000306180634.A27970>