[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: BIND Security
- Subject: Re: [cobalt-users] Re: BIND Security
- From: Paul Ramsey <pramsey@xxxxxxxxxxxxxxx>
- Date: Tue May 30 16:07:19 2000
In addition to having named at a proper patchlevel, you can also lower
your exposure by running it as a NOPRIVLEDGED USER. These new versions
of named allow that, but for some reason Red Hat et al have not yet
adopted this as their default configuration.
To run your named as 'nobody', edit /etc/rc.d/init.d/named and change
the line 'daemon named' to 'daemon named -u nobody -g nobody'. Then
'/etc/rc.d/init.d/named stop ; /etc/rc.d/init.d/named start' and you are
off to the races.
What does this buy you? Well, if someone does a buffer overrun on the
named daemon now, they no longer have access to a process with
system-level powers to write files and change things all over the place.
They just have access to a cruddy process owned by 'nobody'.
If you are particularly paranoid, you can even run named as a 'chroot'ed
process, like anonymous ftp, completely in it's own insular directory
structure. Next time I'm bored, I'm going to do this.
Happy naming,
Paul
Jeff Lasman wrote:
>
> Adam Williams wrote:
>
> > No, Mine got the same hack. I just got this admin job at a local ISP that
> > has 5 RAQs and the 2 with DNS running had been exploited. I'm in the
> > process of formatting them, but I am fighting with radius on a backup red
> > hat 6.2 server so I can switch over. So...I dunno what version the fixed
> > is, but it should be like bind 8.2.2 patch level 3.
>
> Happiness is.....
>
> [root admin]# find / -name "ADM*"
> [root admin]#
>