Firewall Wizards mailing list archives
DNS, SUID, Chroot
From: papowell () astart com
Date: Mon, 13 Oct 1997 08:13:45 -0700 (PDT)
From adam () homeport org Sun Oct 12 11:16:15 1997 From: Adam Shostack <adam () homeport org> Subject: Re: DNS on the Firewall - security problem To: ahuger () silence secnet com Date: Sun, 12 Oct 1997 01:41:38 -0400 (EDT) Cc: firewall-wizards () nfr net, firewalls () GreatCircle COM (Firewalls mailing list) Alfred is absolutely right. I forgot how little what I first wrote references this; I've added a paragraph to make more clear that this is not a real fix, but a temporary hack. I'm working on a paper on the topic of DNS, and working on some kernel hacks to allow a special user or group (other than root) to bind to low numbered ports. Another way to deal with the problem is to use a packet filter that does port translation so that the DNS server can live on a high numbered port (eg, 5353), and still appear to be on port 53. Both these allow you to run the DNS server as an unprivleged user in a chroot jail.
I have run into the same problem with the need for SUID and privileges for ports. I have been using the following technique - your milage may vary on this. 1. (Need to do as EUID ROOT) Open socket, bind to port, and do set sockopts. You need to do this for any socket that will be bound to a privileged port. (Note: some systems require that sockets opened as root must be modified by the process EUID ROOT, and bind/setsockopts seem to fall into this category) 2. (Need to do as ROOT on some systems) do CHROOT to the jail area. 3. SUID(harmless_user) (Need to do as ROOT) 4. At this point, you are locked in the jail, have lost EUID/UID root, and have greatly restricted permissions. I would be interested in comments on this. Patrick Powell
Current thread:
- DNS, SUID, Chroot papowell (Oct 13)
- Re: DNS, SUID, Chroot Marcus J. Ranum (Oct 13)
- Re: DNS, SUID, Chroot Darren Reed (Oct 13)
- Re: DNS, SUID, Chroot Marcus J. Ranum (Oct 14)
- Re: DNS, SUID, Chroot Marcus J. Ranum (Oct 13)