On 10 Jul 2001 12:54:21 -0600, Bdale Garbee wrote: > crowat_private writes: > > The bind daemon run as root, but it should run as ... > > You obviously have neither read /usr/share/doc/bind/README.Debian nor looked > at the existing bug reports against bind in the Debian bug tracking system. We read the following line in the debian bug tracking system: #50013: bind: bind should not run as root. Package: bind; Severity: wishlist; Reported by: Pierre Blanchet <blanchetat_private>; merged with #52745, #53550; 1 year and 242 days old. Hmm, it looks like, debian doesn't want run bind daemon as non-privilgezed user. It's very dangerous, because when there is a bug in program (not impossible:), the attacker can break out of chroot, and can spawn a rootshell. In the other distros it's run as 'named' user, so the attacker can't break out chroot, can't mknod, doesn't get rootshell, etc. Nice feature, if it is used. But in debian, this is not so simple. If the SERVER have usb and PCMCIA network device driver, when new interface connected to linux, user needn't restart bind, because it's run as root, so can detect and bind port on new interface. In this point, we think security is more important than comfort (and the bind developed for the server environment). If we think bad - so the comfort is the first - the debian maintainers should have any idea (they had 1 year and 242 days so far:) to solve the problem. For example put the bind restart script into PCMCIA's cardmgr and/or USB's usbmgr scripts (they are run as root). Dear maintainer, at least put a simple script into deb package, which ask on install, should the deamon run as root or not. Best regards, Foldi Ur, Megyer Ur > Reprioritizing as wishlist and merging with the other requests of similar > nature. > > Bdale -- . . _ __ ______________________________________________________ __ _ . . Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant crowat_private - PGP: finger://crowat_private - (+3630) 221-7477
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 19:59:58 PDT