From owner-freebsd-security Mon Mar 6 17: 6: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.x-treme.gr (mail2.x-treme.gr [212.120.196.24]) by hub.freebsd.org (Postfix) with ESMTP id 3CB0937BD48 for ; Mon, 6 Mar 2000 17:05:25 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat33.x-treme.gr [212.120.197.225]) by mail2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with SMTP id DAA19931 for ; Tue, 7 Mar 2000 03:05:18 +0200 Received: (qmail 85596 invoked by uid 1001); 7 Mar 2000 00:58:45 -0000 Date: Tue, 7 Mar 2000 02:58:45 +0200 From: Giorgos Keramidas To: Igor Roshchin Cc: security@freebsd.org Subject: Re: named started by any user will be running until killed... Message-ID: <20000307025845.E84318@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <200003060858.CAA07208@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003060858.CAA07208@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Mar 06, 2000 at 02:58:06AM -0600 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E X-Phone-Number: +30-94-6203692, +30-93-2886457 X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 06, 2000 at 02:58:06AM -0600, Igor Roshchin wrote: > > Hello! > > I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE > box started the named server (by a mistake). > (Currently, this host is not running named) > The server wrote barked (to the syslog): > > Feb 29 06:57:06 MYHOST named[22132]: limit files set to fdlimit ( > 1024) > Feb 29 06:57:06 MYHOST named[22132]: db_load could not open: loca > lhost.rev: No such file or directory > Feb 29 06:57:06 MYHOST named[22132]: ctl_server: bind: Permission > denied > Feb 29 06:57:06 MYHOST named[22132]: couldn't create pid file '/va > r/run/named.pid' > > but did not exit. > Instead, it continued with periodic messages like: You can always chown the named executable to bind:bind and let only users from that group execute the binary. By carefully adding users to the group, you can control who can run the named executable, and still not stop the `bind' user from running nicely in a jail or outside of it. Oh, don't forget to chown named-xfer and all the other programs that named will want to use ;) -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public PGP key: finger keramida@diogenis.ceid.upatras.gr PGP fingerprint, phone and address in the headers of this message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message