Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 04:17:41AM -0800, Ethan Benson wrote: > i don't think it is necessary (or really desirable) to have the > postinst asking about running bind as root, i think that the number of > people who need it is far to small to justify ya interuption in the > system install. I tend

Re: bind running as root in Mandrake 7.0

On Mon, 5 Jun 2000, Tim Haynes wrote: > On Mon, Jun 05, 2000 at 01:33:33PM +, Nick Phillips wrote: > > Michael Stone wrote: > > > > > And I still think this is a stupid reason for us to be allowing a security > > > problem to sit around--how many people run dns servers on machines with > > >

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 02:55:08PM +, Tim Haynes wrote: ] Erm... 'usepeerdns' and stuff... ] ] Another thought to throw into the fray.. What was that package that asks you ] for your local & external interfaces, then goes and ballses up a default ] firewall for you? ... Maybe some integration

Re: is it really useful to use chroot? (was: bind running as root in Mandrake 7.0)

chrooting bind is probably worthwhile because * bind has an abysmal record * gaining access to the system with uid/gid==bind may well allow an intruder to gain elevated privileges by exploiting a locally-accessible vulnerability, which would otherwise not be exposed yes, it's a pain, but it shoul

is it really useful to use chroot? (was: bind running as root in Mandrake 7.0)

I wonder if running bind (not as root, of course) in a chroot jail is really worth the hassle. If you give it a correct uid/gid it'll only have access to public read-only files after all. If it were just a config option it'd be fine, but there's the mess with libs et. al. that does need some determ

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 01:33:33PM +, Nick Phillips wrote: > Michael Stone wrote: > > > And I still think this is a stupid reason for us to be allowing a security > > problem to sit around--how many people run dns servers on machines with > > dynamic addresses? > > Loads. How many people use

Re: bind running as root in Mandrake 7.0

Michael Stone wrote: > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? Loads. How many people use IP masq to let their bunch of Win98 clients share their net connection? How m

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 12:59:36PM +0100, Zak Kipling wrote: > On Mon, 5 Jun 2000, Ethan Benson wrote: > > > idiots should not be running bind. > > Very true. But we can't very well have an install script which asks "Are > you an idiot?" and aborts installation if the user answers "Yes" ;-) > B

Re: bind running as root in Mandrake 7.0

On Mon, 5 Jun 2000, Ethan Benson wrote: > idiots should not be running bind. Very true. But we can't very well have an install script which asks "Are you an idiot?" and aborts installation if the user answers "Yes" ;-) Bottom line is idiots *will* run bind anyway (after all they are idiots...)

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 01:47:08PM +0200, Marco Giardini wrote: > On Mon, Jun 05, 2000 at 03:45:07AM -0800, Mr.Ethan Benson wrote: > > > > fwiw, OpenBSD by default installs an audited bind 4 configured to run > > non-root in a chroot jail. i presume they don't use bind 8 becuase it > > probably n

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 12:30:15PM +0100, Anton Ivanov wrote: > > > > And I still think this is a stupid reason for us to be allowing a > > security problem to sit around--how many people run dns servers on > > machines with dynamic addresses? > > Agree. > > I was just elaborating on the way to

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 03:45:07AM -0800, Mr.Ethan Benson wrote: > > fwiw, OpenBSD by default installs an audited bind 4 configured to run > non-root in a chroot jail. i presume they don't use bind 8 becuase it > probably needs to be 110% rewritten to make it secure... OpenBSD 2.6 install Bind 8

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 07:08:45AM -0400, Michael Stone wrote: > > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? i would guess the people running bind on dynamic addresses c

Re: bind running as root in Mandrake 7.0

Michael Stone ([EMAIL PROTECTED]) wrote on 5 June 2000 07:08: >On Mon, Jun 05, 2000 at 10:28:04AM +0100, Anton Ivanov wrote: >> There was a long standing discussion on this which basically boils down to >> the >> fact that if you obtain your address dynamically or have dynamic interfaces >>

Re: bind running as root in Mandrake 7.0

> > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? Agree. I was just elaborating on the way to do it "idiot-proof". If you have any of the pcmcia, ppp, etc installed ask t

Re: bind running as root in Mandrake 7.0

On Mon, Jun 05, 2000 at 10:28:04AM +0100, Anton Ivanov wrote: > There was a long standing discussion on this which basically boils down to > the > fact that if you obtain your address dynamically or have dynamic interfaces > (some form of PPP or anything on PCMCIA) you have to run it as root in

Re: bind running as root in Mandrake 7.0

> On Sat, Jun 03, 2000 at 04:03:51PM +0200, Nicolas MONNET wrote: > > bind is run as user / group 'root' in Mandrake 7.0, and probably in > > Redhat6.x as well. > > Debian Slink and Potato (frozen) both install BIND 8.2.2R5 as root. There was a long standing discussion on this which basically boi