Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Feb 2001 15:29:48 -0800
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        Marc Rassbach <marc@milestonerdl.com>, Michael Richards <michael@fastmail.ca>, Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG
Subject:   Re: Bind problems 
Message-ID:  <200102222330.f1MNU7e64567@cwsys.cwsent.com>
In-Reply-To: Your message of "Thu, 22 Feb 2001 13:47:03 PST." <20010222134703.A7745@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <20010222134703.A7745@mollari.cthul.hu>, Kris Kennaway 
writes:
> On Thu, Feb 22, 2001 at 03:22:55PM -0600, Marc Rassbach wrote:
> > Or, you may have been running -u bind -g bind and that works to keep the
> > lid on things.  (Unless the security team knows that -u -g on bind 8
> > doesn't help.)
> 
> Well, it doesn't really help, because it still gives the attacker an
> account on your system, which they can use to bootstrap to root if you
> have an unpatched local root hole.
> 
> Even running in a chroot or jail only goes so far, because they can
> still run arbitrary code on the system as that user and use it to
> e.g. launch DDoS attacks, run an rc5des client, you name it :)

I think you can mitigate or even eliminate that possibility.  First, 
make all files directories in the chrooted environment writable by root 
only, except for named's log directory and the directory it places its 
named.pid file.  Next, union or nullfs mount with the noexec option the 
directories where all of the named logs and pid file are written.

The worst that could happen is that the intruder could fill your disk.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102222330.f1MNU7e64567>