Am 01.07.2014 17:46, schrieb Matus UHLAR - fantomas: >> You need to start named as root for it to be able to chroot. (Unless >> Solaris has some cunning fine-grained privilege feature I don't know >> about.) > > On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote: >> Ok so that was not a good troubleshooting technique, was trying to >> determine what did not have the correct permissions and thus causing the >> warning. I guess I will go ahead and run it the way I have been for the >> last 5 years, unless I find it is causing me problems. > > For now we have to trust BIND it will properly bind(), chroot() and drop > privileges... > > does anyone know if there's a way to leave these (dropping privileges) to > other programs, so BIND and similar apps won't have to implement this on > their own? ... on Linux or other OSes? > > (taking care about security of a small program should be easier)
in theory http://www.freedesktop.org/software/systemd/man/systemd.socket.html that way systemd opens the socket before the daemon is started which could happen even on-demand and so the systemd-unit could start the service process from the begin with a low privileged user - *but* not sure how to deal with chroot in that context however, we restrict most services like below, giving them only needed capabilities and make /etc and /usr read-only which greatly improves security PrivateTmp=true TimeoutSec=25 Restart=always RestartSec=1 CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=/boot InaccessibleDirectories=/home InaccessibleDirectories=/root
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
