Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 04:17:41AM -0800, Ethan Benson wrote: > i don't think it is necessary (or really desirable) to have the > postinst asking about running bind as root, i think that the number of > people who need it is far to small to justify ya interuption in the > system install. I tend to disagree. bind could use debconf and ask a question with priority "low", default set to running bind without root permissions. Another approach is to fix bind by binding INADDR_ANY as was pointed out in this thread. This may have undesirable side-effects, though. - Sebastian
Re: bind running as root in Mandrake 7.0
On Mon, 5 Jun 2000, Tim Haynes wrote: > On Mon, Jun 05, 2000 at 01:33:33PM +, Nick Phillips wrote: > > Michael Stone wrote: > > > > > And I still think this is a stupid reason for us to be allowing a security > > > problem to sit around--how many people run dns servers on machines with > > > dynamic addresses? > > > > Loads. How many people use IP masq to let their bunch of Win98 clients share > > their net connection? How many ISPs give static IPs? QED. > > > > It should probably be an install-time option. > > Erm... 'usepeerdns' and stuff... > > Another thought to throw into the fray.. What was that package that asks you > for your local & external interfaces, then goes and ballses up a default > firewall for you? ... Maybe some integration there could be fun. > > How many people wanting to run bind need it listening on their ppp0 interface, > which comes & goes merrily with dialups, rather than their eth0s and let the > outgoing forwarded requests get masqueraded? > > Just my $0.01.. > > ~Tim You got it exactly right, there is no reason why anyone should be listening on a dynamic IP address. If it's gonna change so much, then how will people be able to find it ? If it's about DHCP, then 'just' start that first before you startup bind. Does DHCP also have something like a ppp-up script ? I think you can specify that right ? There is _no_ reason why any1 should do a DNS query on a PPP dialup. If someone really needs it (static IP over ppp ?), make it so in ppp-up (restart bind ? or is reload enough ?). As long it's named.named, it really is very important. There are just too many things in bind, that went wrong in the past. My 2 cents. - New things are always on the horizon. > -- > | Geek Code: GCS dpu s-:+ a-- C UBLUAVHSC P+++ L++ E--- W+++(--) N++ > | w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y- > | So shine on, harvest moon, | http://piglet.is.dreaming.org/ > | Cast your might on the ripening corn | [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 02:55:08PM +, Tim Haynes wrote: ] Erm... 'usepeerdns' and stuff... ] ] Another thought to throw into the fray.. What was that package that asks you ] for your local & external interfaces, then goes and ballses up a default ] firewall for you? ... Maybe some integration there could be fun. ] ] How many people wanting to run bind need it listening on their ppp0 interface, ] which comes & goes merrily with dialups, rather than their eth0s and let the ] outgoing forwarded requests get masqueraded? I guess you meant ipmasq.. it's a really nice peace of software for lazy people ;-) I made bind run as user in just a few minutes using the standard potato package and I guess this _SHOULD_ be the default behaviour. Now.. with dynamic interfaces - for PPP at least - we could have an /etc/ppp.d/ip-{up,down}.d/bind scripts that make bind listen on the new interface if that's necessary (ask the user at install time). Just my $0.005 ;-)
Re: is it really useful to use chroot? (was: bind running as root in Mandrake 7.0)
chrooting bind is probably worthwhile because * bind has an abysmal record * gaining access to the system with uid/gid==bind may well allow an intruder to gain elevated privileges by exploiting a locally-accessible vulnerability, which would otherwise not be exposed yes, it's a pain, but it should be an option at least until a more secure dns makes its way into the distribution. regards, thomas On Mon, 5 Jun 2000, Carlos Carvalho wrote: > I wonder if running bind (not as root, of course) in a chroot jail is > really worth the hassle. If you give it a correct uid/gid it'll only > have access to public read-only files after all. If it were just a > config option it'd be fine, but there's the mess with libs et. al. > that does need some determination to overcome...
is it really useful to use chroot? (was: bind running as root in Mandrake 7.0)
I wonder if running bind (not as root, of course) in a chroot jail is really worth the hassle. If you give it a correct uid/gid it'll only have access to public read-only files after all. If it were just a config option it'd be fine, but there's the mess with libs et. al. that does need some determination to overcome...
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 01:33:33PM +, Nick Phillips wrote: > Michael Stone wrote: > > > And I still think this is a stupid reason for us to be allowing a security > > problem to sit around--how many people run dns servers on machines with > > dynamic addresses? > > Loads. How many people use IP masq to let their bunch of Win98 clients share > their net connection? How many ISPs give static IPs? QED. > > It should probably be an install-time option. Erm... 'usepeerdns' and stuff... Another thought to throw into the fray.. What was that package that asks you for your local & external interfaces, then goes and ballses up a default firewall for you? ... Maybe some integration there could be fun. How many people wanting to run bind need it listening on their ppp0 interface, which comes & goes merrily with dialups, rather than their eth0s and let the outgoing forwarded requests get masqueraded? Just my $0.01.. ~Tim -- | Geek Code: GCS dpu s-:+ a-- C UBLUAVHSC P+++ L++ E--- W+++(--) N++ | w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y- | So shine on, harvest moon, | http://piglet.is.dreaming.org/ | Cast your might on the ripening corn | [EMAIL PROTECTED]
Re: bind running as root in Mandrake 7.0
Michael Stone wrote: > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? Loads. How many people use IP masq to let their bunch of Win98 clients share their net connection? How many ISPs give static IPs? QED. It should probably be an install-time option. Nick
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 12:59:36PM +0100, Zak Kipling wrote: > On Mon, 5 Jun 2000, Ethan Benson wrote: > > > idiots should not be running bind. > > Very true. But we can't very well have an install script which asks "Are > you an idiot?" and aborts installation if the user answers "Yes" ;-) > Bottom line is idiots *will* run bind anyway (after all they are > idiots...) So better that the default mode should be (relatively) safe, > requiring active intervention (and presumably knowledge) to open the big > holes like running it as root -- which as has already been pointed out is > only likely to be desirable for a very small minority of users. i completly agree, that is bind should be installed defaulting to running as named.named (which should be in the base-passwd btw) and probably chrooted as well. anyone needing a less secure configuration should know how to edit the initscripts and config files themselves with thier $EDITOR. i don't think it is necessary (or really desirable) to have the postinst asking about running bind as root, i think that the number of people who need it is far to small to justify ya interuption in the system install. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpN6SYzik4Fc.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
On Mon, 5 Jun 2000, Ethan Benson wrote: > idiots should not be running bind. Very true. But we can't very well have an install script which asks "Are you an idiot?" and aborts installation if the user answers "Yes" ;-) Bottom line is idiots *will* run bind anyway (after all they are idiots...) So better that the default mode should be (relatively) safe, requiring active intervention (and presumably knowledge) to open the big holes like running it as root -- which as has already been pointed out is only likely to be desirable for a very small minority of users. -- Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH. Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk". "As long as the superstition that people should obey unjust laws exists, so long will slavery exist." -- M. K. Gandhi
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 01:47:08PM +0200, Marco Giardini wrote: > On Mon, Jun 05, 2000 at 03:45:07AM -0800, Mr.Ethan Benson wrote: > > > > fwiw, OpenBSD by default installs an audited bind 4 configured to run > > non-root in a chroot jail. i presume they don't use bind 8 becuase it > > probably needs to be 110% rewritten to make it secure... > OpenBSD 2.6 install Bind 8 chrooted and as non root user. bzzt wrong thanks for playing. OpenBSD 2.6 ships with bind 4 installed, you can install bind 8 from /usr/ports if you wish to give up security, but the default installed version is still 4: named[29409]: starting. named 4.9.7-REL Thu May 21 19:27:54 1998 $ uname -mrs OpenBSD 2.6 i386 $ i am not sure about 2.7 but i doubt its any different. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpzNJYXg53Rl.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 12:30:15PM +0100, Anton Ivanov wrote: > > > > And I still think this is a stupid reason for us to be allowing a > > security problem to sit around--how many people run dns servers on > > machines with dynamic addresses? > > Agree. > > I was just elaborating on the way to do it "idiot-proof". If you have any of idiots should not be running bind. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpwjrDkHbPnQ.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 03:45:07AM -0800, Mr.Ethan Benson wrote: > > fwiw, OpenBSD by default installs an audited bind 4 configured to run > non-root in a chroot jail. i presume they don't use bind 8 becuase it > probably needs to be 110% rewritten to make it secure... OpenBSD 2.6 install Bind 8 chrooted and as non root user. .oesse. > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ -- -- Marco Giardini TecnoGi spa Tel. +39 0321 885422 Strada per Gravellona Fax +39 0321 885333 Borgolavezzaro (NO) http://www.tecnogi.com Key fingerprint = B5 B4 AA 91 89 50 43 8F B1 6B C6 8C 34 79 5A 7F
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 07:08:45AM -0400, Michael Stone wrote: > > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? i would guess the people running bind on dynamic addresses consist of the following two groups: 1) people who should not be running bind at all. 2) people who have a special need for such a thing and will be smart enough to change the configuration to run it as root. IMO running bind as root is insane, hell running bind at all is halfway insane... why are we (read all who need to run DNS services) still using this giant security hole masquerading as a DNS server? are there no suitable replacements? (i presume dnscache is non-free, what about dents?) fwiw, OpenBSD by default installs an audited bind 4 configured to run non-root in a chroot jail. i presume they don't use bind 8 becuase it probably needs to be 110% rewritten to make it secure... -- Ethan Benson http://www.alaska.net/~erbenson/ pgpEGDrMlblZT.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
Michael Stone ([EMAIL PROTECTED]) wrote on 5 June 2000 07:08: >On Mon, Jun 05, 2000 at 10:28:04AM +0100, Anton Ivanov wrote: >> There was a long standing discussion on this which basically boils down to >> the >> fact that if you obtain your address dynamically or have dynamic interfaces >> (some form of PPP or anything on PCMCIA) you have to run it as root in >> order >> for bind to use these interfaces. >> >> bind does not bind 0.0.0.0:53. It for one or another reason binds every >> interface separately. Hence if an interface is not available at bind start >> time and bind does not run as root the interfaces are not rebound. > >And I still think this is a stupid reason for us to be allowing a >security problem to sit around--how many people run dns servers on >machines with dynamic addresses? Agreed!!! If the czars don't agree with this, the possibility should at least be easier to implement by setting a config option in the /etc/init.d/bind script.
Re: bind running as root in Mandrake 7.0
> > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? Agree. I was just elaborating on the way to do it "idiot-proof". If you have any of the pcmcia, ppp, etc installed ask the user "Do you want to run bind as root". Otherwise not simply run it as user. Chroot it as well. Brgds, pgp2pAp43l2Fo.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 10:28:04AM +0100, Anton Ivanov wrote: > There was a long standing discussion on this which basically boils down to > the > fact that if you obtain your address dynamically or have dynamic interfaces > (some form of PPP or anything on PCMCIA) you have to run it as root in order > for bind to use these interfaces. > > bind does not bind 0.0.0.0:53. It for one or another reason binds every > interface separately. Hence if an interface is not available at bind start > time and bind does not run as root the interfaces are not rebound. And I still think this is a stupid reason for us to be allowing a security problem to sit around--how many people run dns servers on machines with dynamic addresses? -- Mike Stone pgpn4jEyknlY0.pgp Description: PGP signature
Re: bind running as root in Mandrake 7.0
> On Sat, Jun 03, 2000 at 04:03:51PM +0200, Nicolas MONNET wrote: > > bind is run as user / group 'root' in Mandrake 7.0, and probably in > > Redhat6.x as well. > > Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root. There was a long standing discussion on this which basically boils down to the fact that if you obtain your address dynamically or have dynamic interfaces (some form of PPP or anything on PCMCIA) you have to run it as root in order for bind to use these interfaces. bind does not bind 0.0.0.0:53. It for one or another reason binds every interface separately. Hence if an interface is not available at bind start time and bind does not run as root the interfaces are not rebound. So running as non-root will not work in some cases. They may be covered in any of the listed distros but this means making bind, all dhcp-clients, pcmcia, ppp, ad naseum depend on each other and mess with each other's init scripts. For now I do not know of a distro that does this. [snip] pgpEI9O1a85rx.pgp Description: PGP signature