Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Mar 2000 20:38:11 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Igor Roshchin <igor@physics.uiuc.edu>
Cc:        security@FreeBSD.ORG
Subject:   Re: named started by any user will be running until killed...
Message-ID:  <200003070438.UAA50858@apollo.backplane.com>
References:   <200003060858.CAA07208@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

:Hello!
:
:I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE
:box started the named server (by a mistake).
:(Currently, this host is not running named)
:The server wrote barked (to the syslog):
:
:Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: limit files set to fdlimit (
:1024)
:Feb 29 06:57:06 <daemon.warn> MYHOST named[22132]: db_load could not open: loca
:lhost.rev: No such file or directory
:Feb 29 06:57:06 <daemon.err> MYHOST named[22132]: ctl_server: bind: Permission
:...
:
:going over all IPs (I have several IP aliases on that host) associated
:with the network interface.
:
:These messages were repeated in the syslog every hour until the named
:was manually killed.
:...
:Igor

    Generally speaking you do not include /sbin or /usr/sbin or 
    /usr/local/sbin in the user's default path, so users generally
    don't 'see' these programs.  That they can run them anyway is not
    really a security issue -- it's no different from a user downloading,
    compiling up, and running the named source after all.

    Trying to do something more complex, like using jail or messing with
    program owner/group/permissions is going to mostly be a waste of time.
    If you are truely concerned you can chmod 750 and group-restrict 
    the directories (/sbin, /usr/sbin, /usr/local/sbin).  Personally I
    don't think it's worth the effort.... remember that every change you
    make to the base system is a change you have to remember to redo when
    you upgrade.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003070438.UAA50858>