[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Running named as root ? Why not change it standard cobalt ??

Subject: [cobalt-users] Running named as root ? Why not change it standard cobalt ??
From: Scott F <scott_falco@xxxxxxxxx>
Date: Wed Sep 5 21:08:48 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>A little while ago there was some discussion 
>about the risks of  running named as root.
>
>I just good a brand new raq and the first thing 
>I noticed is that named was running as root 
>again ^%#$^&@
>
>Why is cobalt ignoring this "risks" and what are
>exactly the risks of running named as root ???? 
>Is it that hard for them to change that in newer
>delivered servers....

Personally, I've been thinking about this the last few
days as well, since I just had to rebuild a server.
While I always have changed my user/group over to
"named" and run it as such, Carrie recently pointed
out that at least on the RaQ4's, "named" was already
setup in the group/password file. Might it just be
possible that it's simply another reavenue stream for
the Coblat "professional" services ($200+ hr.) to go
in there and make the 2 little changes that's needed
to run named as a non-root user/group..? ANWAY...
Here's all that needs to be done to change it over.
Note I now use raqnamed for my user/group, since named
is already on the box.. I like to throw in the
2>/dev/null || : for a bit of added protection.

useradd -c "RaqNamed" -u 25 -s /bin/false -r -d
/etc/named raqnamed 2>/dev/null || :

(all on one line)

Then:

under /etc/rc.d/init.d/named -change the 2 instances
of:

daemon named

to read:

daemon named -u raqnamed -g raqnamed

Then:

restart named as:

/etc/rc.d/init.d/named restart 

(or start if it's not already running)

Details of the above code:

The '-u 25' option informs the system to set the UID
to
number 25, which refers to the named user. 

The '-s /bin/false' option informs the system to use
the program /bin/false as a shell for this user, which
means that user 'named' will not have shell access to
the system. The /bin/false redirects the input to a
null device (/dev/null) for security. 

The '-r -d /etc/named' informs the system to create a
home directory for this user, which will be located
under /etc/named directory.

Finally the name coming after the '-r -d /etc/named'
gives the username, which is associated with the
numerical ID 25 for this user, in our case the user
will be 'raqnamed'.

Cheers!
Scott

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

Follow-Ups:
- Re: [cobalt-users] Running named as root ? Why not change it standard cobalt ??
  - From: Jeff Lasman

Prev by Date: [cobalt-users] RE: cobalt-users digest, Vol 1 #3363 - 10 msgs Message: 3 RAQ2 - php3.pkg installed, cannot find
Next by Date: [cobalt-users] Domain aliasing - RaQ4
Previous by thread: [cobalt-users] RE: cobalt-users digest, Vol 1 #3363 - 10 msgs Message: 3 RAQ2 - php3.pkg installed, cannot find
Next by thread: Re: [cobalt-users] Running named as root ? Why not change it standard cobalt ??

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index