Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Mar 2000 02:58:45 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Igor Roshchin <igor@physics.uiuc.edu>
Cc:        security@freebsd.org
Subject:   Re: named started by any user will be running until killed...
Message-ID:  <20000307025845.E84318@hades.hell.gr>
In-Reply-To: <200003060858.CAA07208@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Mar 06, 2000 at 02:58:06AM -0600
References:  <200003060858.CAA07208@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Mar 06, 2000 at 02:58:06AM -0600, Igor Roshchin wrote:
> 
> Hello!
> 
> I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE
> box started the named server (by a mistake).
> (Currently, this host is not running named)
> The server wrote barked (to the syslog):
> 
> Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: limit files set to fdlimit (
> 1024)
> Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: db_load could not open: loca
> lhost.rev: No such file or directory
> Feb 29 06:57:06 <daemon.err> MYHOST named[22132]: ctl_server: bind: Permission
> denied
> Feb 29 06:57:06 <daemon.err> MYHOST named[22132]: couldn't create pid file '/va
> r/run/named.pid'
> 
> but did not exit.
> Instead, it continued with periodic messages like:

You can always chown the named executable to bind:bind and let only
users from that group execute the binary.

By carefully adding users to the group, you can control who can run the
named executable, and still not stop the `bind' user from running
nicely in a jail or outside of it.

Oh, don't forget to chown named-xfer and all the other programs that
named will want to use ;)

-- 
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
For my public PGP key: finger keramida@diogenis.ceid.upatras.gr
PGP fingerprint, phone and address in the headers of this message.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000307025845.E84318>