From owner-freebsd-security Thu Feb 22 15:32: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 86DCB37B401 for ; Thu, 22 Feb 2001 15:32:01 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA30325; Thu, 22 Feb 2001 15:30:34 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30323; Thu Feb 22 15:30:16 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1MNUAr30256; Thu, 22 Feb 2001 15:30:10 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdi30254; Thu Feb 22 15:30:08 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1MNU7e64567; Thu, 22 Feb 2001 15:30:07 -0800 (PST) Message-Id: <200102222330.f1MNU7e64567@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdT64533; Thu Feb 22 15:29:48 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Kris Kennaway Cc: Marc Rassbach , Michael Richards , Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Bind problems In-reply-to: Your message of "Thu, 22 Feb 2001 13:47:03 PST." <20010222134703.A7745@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 15:29:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010222134703.A7745@mollari.cthul.hu>, Kris Kennaway writes: > On Thu, Feb 22, 2001 at 03:22:55PM -0600, Marc Rassbach wrote: > > Or, you may have been running -u bind -g bind and that works to keep the > > lid on things. (Unless the security team knows that -u -g on bind 8 > > doesn't help.) > > Well, it doesn't really help, because it still gives the attacker an > account on your system, which they can use to bootstrap to root if you > have an unpatched local root hole. > > Even running in a chroot or jail only goes so far, because they can > still run arbitrary code on the system as that user and use it to > e.g. launch DDoS attacks, run an rc5des client, you name it :) I think you can mitigate or even eliminate that possibility. First, make all files directories in the chrooted environment writable by root only, except for named's log directory and the directory it places its named.pid file. Next, union or nullfs mount with the noexec option the directories where all of the named logs and pid file are written. The worst that could happen is that the intruder could fill your disk. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message