On Tue, 14 Jul 1998, Carlos Barros wrote:
> On Tue, 14 Jul 1998, cfb wrote:
>
> > The main problem seems to be with the way that debian starts bind using
> > the script /etc/init.d/bind. I thought it would be really neat to just
> > change the #!/bin/sh at the top of the script to something like :
> > #!/usr/sbin/chroot /chroot-dns/ /bin/sh
> > or
> > #!/usr/sbin/chroot /chroot-dns/ /chroot-dns/bin/sh
>
>
> try changing only the line that start the bind daemon eg:
>
> chroot /chroot-dns/ /bin/named
What this chroot gives You? Actually this is protection against simple
exec("/bin/sh") but every cracker may put chroot("/") before this and all
the protection is destroyed.
My idea is to run named non-root UID/GID. As named needs to bind port 53
which is below 1024 there are problem to execute it. One solution is to
rewrite named code (like httpd) another is to make the hole into the
kernel. Both are nonstandard solutions. There are also possible to use
some portwrapper/redir. Does anyone use some of these?
---
Cougar
--
Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
