Bugtraq mailing list archives
Re: Bug#104182: bind: Bind daemon run as root (needless)
From: Foldi Tamas <crow () kapu hu>
Date: 11 Jul 2001 14:44:12 +0200
On 10 Jul 2001 12:54:21 -0600, Bdale Garbee wrote:
crow () kapu hu writes:The bind daemon run as root, but it should run as ...You obviously have neither read /usr/share/doc/bind/README.Debian nor looked at the existing bug reports against bind in the Debian bug tracking system.
We read the following line in the debian bug tracking system: #50013: bind: bind should not run as root. Package: bind; Severity: wishlist; Reported by: Pierre Blanchet <blanchet () cvf fr>; merged with #52745, #53550; 1 year and 242 days old. Hmm, it looks like, debian doesn't want run bind daemon as non-privilgezed user. It's very dangerous, because when there is a bug in program (not impossible:), the attacker can break out of chroot, and can spawn a rootshell. In the other distros it's run as 'named' user, so the attacker can't break out chroot, can't mknod, doesn't get rootshell, etc. Nice feature, if it is used. But in debian, this is not so simple. If the SERVER have usb and PCMCIA network device driver, when new interface connected to linux, user needn't restart bind, because it's run as root, so can detect and bind port on new interface. In this point, we think security is more important than comfort (and the bind developed for the server environment). If we think bad - so the comfort is the first - the debian maintainers should have any idea (they had 1 year and 242 days so far:) to solve the problem. For example put the bind restart script into PCMCIA's cardmgr and/or USB's usbmgr scripts (they are run as root). Dear maintainer, at least put a simple script into deb package, which ask on install, should the deamon run as root or not. Best regards, Foldi Ur, Megyer Ur
Reprioritizing as wishlist and merging with the other requests of similar nature. Bdale
-- . . _ __ ______________________________________________________ __ _ . . Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant crow () kapu hu - PGP: finger://crow () thot banki hu - (+3630) 221-7477
Current thread:
- Re: Bug#104182: bind: Bind daemon run as root (needless) Foldi Tamas (Jul 15)