On Fri, 17 Jul 1998, Cougar wrote: > [mod: It is slightly less trivial than 'chroot("/")', but if you can > execute arbitrary code as root, you can break out of the chrooted > environment. --REW] > > My idea is to run named non-root UID/GID. As named needs to bind port 53 > which is below 1024 there are problem to execute it. One solution is to > rewrite named code (like httpd) another is to make the hole into the > kernel. Both are nonstandard solutions. There are also possible to use > > [mod: Patches are floating around. -- REW]
Patches? Bind 8.1.2 has command-line options for running as non-root UID/GID and chrooted. It binds to port 53 before dropping root. This is only a problem if you have interfaces appearing/disappearing randomly that you need named to bind to. Most real name servers probably don't have that problem. ------------------------------------------------------------------ Jon Lewis <[EMAIL PROTECTED]> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____ -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null