From owner-freebsd-security  Mon Mar  6 20:38:19 2000
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 0815C37BE71
	for <security@FreeBSD.ORG>; Mon,  6 Mar 2000 20:38:15 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id UAA50858;
	Mon, 6 Mar 2000 20:38:11 -0800 (PST)
	(envelope-from dillon)
Date: Mon, 6 Mar 2000 20:38:11 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200003070438.UAA50858@apollo.backplane.com>
To: Igor Roshchin <igor@physics.uiuc.edu>
Cc: security@FreeBSD.ORG
Subject: Re: named started by any user will be running until killed...
References:  <200003060858.CAA07208@alecto.physics.uiuc.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


:Hello!
:
:I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE
:box started the named server (by a mistake).
:(Currently, this host is not running named)
:The server wrote barked (to the syslog):
:
:Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: limit files set to fdlimit (
:1024)
:Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: db_load could not open: loca
:lhost.rev: No such file or directory
:Feb 29 06:57:06 <daemon.err> MYHOST named[22132]: ctl_server: bind: Permission
:...
:
:going over all IPs (I have several IP aliases on that host) associated
:with the network interface.
:
:These messages were repeated in the syslog every hour until the named
:was manually killed.
:...
:Igor

    Generally speaking you do not include /sbin or /usr/sbin or 
    /usr/local/sbin in the user's default path, so users generally
    don't 'see' these programs.  That they can run them anyway is not
    really a security issue -- it's no different from a user downloading,
    compiling up, and running the named source after all.

    Trying to do something more complex, like using jail or messing with
    program owner/group/permissions is going to mostly be a waste of time.
    If you are truely concerned you can chmod 750 and group-restrict 
    the directories (/sbin, /usr/sbin, /usr/local/sbin).  Personally I
    don't think it's worth the effort.... remember that every change you
    make to the base system is a change you have to remember to redo when
    you upgrade.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message