DNS, SUID, Chroot

[papowell () astart com]

> From adam () homeport org Sun Oct 12 11:16:15 1997
> From: Adam Shostack <adam () homeport org>
> Subject: Re: DNS on the Firewall - security problem
> To: ahuger () silence secnet com
> Date: Sun, 12 Oct 1997 01:41:38 -0400 (EDT)
> Cc: firewall-wizards () nfr net,
>         firewalls () GreatCircle COM (Firewalls mailing list)
>
> Alfred is absolutely right.  I forgot how little what I first wrote
> references this; I've added a paragraph to make more clear that this
> is not a real fix, but a temporary hack.
>
> I'm working on a paper on the topic of DNS, and working on some kernel
> hacks to allow a special user or group (other than root) to bind to
> low numbered ports.  Another way to deal with the problem is to use a
> packet filter that does port translation so that the DNS server can
> live on a high numbered port (eg, 5353), and still appear to be on
> port 53.  Both these allow you to run the DNS server as an unprivleged
> user in a chroot jail.

I have run into the same problem with the need for SUID and privileges
for ports.  I have been using the following technique - your milage may
vary on this.

1. (Need to do as EUID ROOT) Open socket, bind to port, and do
   set sockopts.  You need to do this for any socket that will
   be bound to a privileged port.

   (Note: some systems require that sockets opened as root
    must be modified by the process EUID ROOT, and bind/setsockopts
    seem to fall into this category)

2. (Need to do as ROOT on some systems)
   do CHROOT to the jail area.

3. SUID(harmless_user) (Need to do as ROOT)

4. At this point,  you are locked in the jail,  have lost EUID/UID root,
   and have greatly restricted permissions.

I would be interested in comments on this.

Patrick Powell