On Fri, 17 Jul 1998, Carlos Barros wrote:
> On Fri, 17 Jul 1998, Cougar wrote:
>
> > > try changing only the line that start the bind daemon eg:
> > >
> > > chroot /chroot-dns/ /bin/named
> >
> > What this chroot gives You? Actually this is protection against simple
> > exec("/bin/sh") but every cracker may put chroot("/") before this and all
> > the protection is destroyed.
>
> Maybe, but if you make a tree with only bind, no ftp access, and the
> required libraries/config files, no cracker could exec no sh no chroot
> etc, etc.
I didn't mean shell's chroot command but chroot(2) system command. You
can't block it if the code runs under root id.
> > My idea is to run named non-root UID/GID. As named needs to bind port 53
> > which is below 1024 there are problem to execute it. One solution is to
> > rewrite named code (like httpd) another is to make the hole into the
> > kernel. Both are nonstandard solutions. There are also possible to use
> > some portwrapper/redir. Does anyone use some of these?
>
> AFAIK apache start in uid 0 gid 0; bind to port 80; change uid/gid...
>
> it would be good for bind to do it...
Appeared that bind8 can do this.
---
Cougar
--
Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
