-----BEGIN PGP SIGNED MESSAGE----- Cougar wrote: > > On Tue, 14 Jul 1998, Carlos Barros wrote: > > > On Tue, 14 Jul 1998, cfb wrote: > > > > > The main problem seems to be with the way that debian starts bind using > > > the script /etc/init.d/bind. I thought it would be really neat to just > > > change the #!/bin/sh at the top of the script to something like : > > > #!/usr/sbin/chroot /chroot-dns/ /bin/sh > > > or > > > #!/usr/sbin/chroot /chroot-dns/ /chroot-dns/bin/sh > > > > > > try changing only the line that start the bind daemon eg: > > > > chroot /chroot-dns/ /bin/named > > What this chroot gives You? Actually this is protection against simple > exec("/bin/sh") but every cracker may put chroot("/") before this and all > the protection is destroyed. > > [mod: It is slightly less trivial than 'chroot("/")', but if you can > execute arbitrary code as root, you can break out of the chrooted > environment. --REW] > > My idea is to run named non-root UID/GID. As named needs to bind port 53 > which is below 1024 there are problem to execute it. One solution is to > rewrite named code (like httpd) another is to make the hole into the > kernel. Both are nonstandard solutions. There are also possible to use > some portwrapper/redir. Does anyone use some of these? > > [mod: Patches are floating around. -- REW]
Why are linux users always trying to patch software without rechecking with the author first? See the "-u" (uid) and "-g" (gid) flags of named 8.1.2 (as described in the README and INSTALL files). Also note the "-t" flag to specify the chroot-dir... Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: [EMAIL PROTECTED] Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger [EMAIL PROTECTED] any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBNa88W8vEMj/EqWIlAQGRAggAmXUgnzJGCCc4iNG8sOpDlsf256ZoMeBC E4XqDWjAe1zwyjL2XvMnA5lbA6GX+s7Gi0wTPlOTR3e6VPBNLqt5n5c0xDjTQAcz 00sNSrv/9jJXTPSNA12fbcLPzkMUMvakF1l1hpXPycjua5dvV0gFaYKA1X6Ht2Pq AY0USXfk4zk0i+bdGXflCE+N6HHjZa/+Rw9szZIwWGmjKXDGi7jBoepWXVU+WwGh HGrWtL2ty5YipK0hOdMuUhCsrLVMMAkTrZoX2f797O/K5Al1BH6QgQc9YnYsV+ft JQ1uu5dvLykvkp74LOAoiqHwbHTn6t2vWvxg0Ix61prVq4AjN81bAw== =Pbgc -----END PGP SIGNATURE----- -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null