Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug#104182: bind: Bind daemon run as root (needless)

From: Foldi Tamas <crow () kapu hu>
Date: 11 Jul 2001 14:44:12 +0200
On 10 Jul 2001 12:54:21 -0600, Bdale Garbee wrote:

crow () kapu hu writes:

The bind daemon run as root, but it should run as ...


You obviously have neither read /usr/share/doc/bind/README.Debian nor looked
at the existing bug reports against bind in the Debian bug tracking system.


We read the following line in the debian bug tracking system:

#50013: bind: bind should not run as root.
Package: bind; Severity: wishlist; Reported by: Pierre Blanchet
<blanchet () cvf fr>; merged with #52745, #53550;  1 year and 242 days old.

Hmm, it looks like, debian doesn't want run bind daemon as
non-privilgezed user. It's very dangerous, because when there is a bug
in program (not impossible:), the attacker can break out of chroot, and
can spawn a rootshell. 

In the other distros it's run as 'named' user, so the attacker can't
break out chroot, can't mknod, doesn't get rootshell, etc. Nice feature,
if it is used.

But in debian, this is not so simple. If the SERVER have usb and PCMCIA
network device driver, when new interface connected to linux, user
needn't restart bind, because it's run as root, so can detect and bind
port on new interface. 

In this point, we think security is more important than comfort (and the
bind developed for the server environment). If we think bad - so the
comfort is the first - the debian maintainers should have any idea (they
had 1 year and 242 days so far:) to solve the problem. For example put
the bind restart script into PCMCIA's cardmgr and/or USB's usbmgr
scripts (they are run as root). 

Dear maintainer, at least put a simple script into deb package, which
ask on install, should the deamon run as root or not.

Best regards,
Foldi Ur, Megyer Ur


Reprioritizing as wishlist and merging with the other requests of similar
nature.

Bdale


-- 
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
   crow () kapu hu - PGP: finger://crow () thot banki hu - (+3630) 221-7477
Previous By Date Next
Previous By Thread Next

Current thread: