From owner-freebsd-security Wed Jan 31 13:56:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (helpful.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 8FD8D37B6A8 for ; Wed, 31 Jan 2001 13:55:56 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14O5Di-0000xY-00 for freebsd-security@freebsd.org; Wed, 31 Jan 2001 23:55:18 +0200 Date: Wed, 31 Jan 2001 23:55:18 +0200 (IST) From: Roman Shterenzon To: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind In-Reply-To: <200101312123.f0VLNL134920@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-01:18 Security Advisory > > Topic: BIND remotely exploitable buffer overflow ..snip.. > > There is no known practical workaround to prevent the vulnerability > from being exploited, short of upgrading the software. A partial > workaround to limit the impact of the vulnerability should it be > exploited is to run named as an unprivileged user. > > Add the following line to /etc/rc.conf: > > named_flags="-u bind -g bind" # Flags for named > > Add the following line to your /etc/namedb/named.conf file, in the > "options" section: > > pid-file "/var/named/named.pid"; > > See the named.conf(5) manual page for more details about configuring > named. > > Perform the following commands as root: > > Create a directory writable by the bind user where named can store its > pid file: > > # mkdir /var/named > # chown bind:bind /var/named > > Use of the -t option to named will also increase security when run as > a non-privileged user by confining the named process to a chroot > environment and thereby partially limiting the access it has to the > rest of the system. Configuration of these options is beyond the > scope of the advisory. The following website contains information > which may be useful to administrators wishing to perform this step: > > http://www.losurs.org/docs/howto/Chroot-BIND.html > Why not make it default in the base system? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message