[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Running Bind as non Root
- Subject: Re: [cobalt-users] Running Bind as non Root
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Thu Aug 23 06:32:26 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Ja" <jjma@xxxxxxxxxxxxxx> wrote:
> I just installed bind-update.pkg and it runs under user
> "root". I heard that named should not run as user "root".
> Could someone provide an alterative answer and maybe a resolution?
Ja,
It's always safer to run a service as an unprivileged user instead of as the
root user since if someone exploits a vulnerability in the service they'll
have the privileges of that user instead of root. In order to run bind as
the user "named" you need to make sure that there is a user and group for
that user first. I believe there is by default on the RaQ4, there isn't on
the RaQ1/2 and I'm not sure on the RaQ3 offhand. To check if the user
exists type:
grep named /etc/passwd
If it returns a record the user exists. If not, type:
/usr/sbin/groupadd named
/usr/sbin/useradd named -g named -s /bin/false
Then edit the file /etc/rc.d/init.d/named. I like to use pico. Use emacs,
vi, joe or something else if you prefer. You should see the following line
under a section marked "start":
daemon named
Replace it with:
daemon named -u named -g named
Then restart bind by typing:
/etc/rc.d/init.d/named stop
/etc/rc.d/init.d/named start
If you look at your server's process list you should see that it is now
running as user named (process owners show in first column). Here's mine on
a RaQ2:
[root@ns /root]# ps aux | grep named
named 29421 0.2 3.2 7492 4160 ? S Jun 11 269:40 named -u named -g
nam
And on a RaQ4 of mine:
[admin admin]$ ps aux | grep named
named 30112 0.0 0.1 2560 864 ? S Aug21 0:00 named -u
named -g
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/