[KLUG Members] DNS question

Peter Buxton members@kalamazoolinux.org
Sat, 2 Feb 2002 20:26:11 -0500

Previous message: [KLUG Members] Re: Why does "Software Morality" differ from the rest?
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 20, 2002 at 04:19:01PM -0500, Adam Williams was only 
   escaped alone to tell thee:
   
> BIND, as default, no longer runs as root so I think some of the early
> horror stories would be much harder to duplicate.  But I'd wager DOS is
> still possible.

I'm interested in djbdns, but would have to read the docs and all -- no
huge problem, just an afternoon's work I haven't put aside yet. Debian
doesn't have djbdns_x.x.x.deb, sadly. And why compile a more secure
named if I don't read the docs and install it correctly and securely?

Debian's BIND ends up running as root, wierdly. For those at home, make
the following changes:

/etc/passwd: named:x:107:107:bind daemon:/:/bin/sh

/etc/group:  named:x:107:

/etc/shadow: named:!:11677:0:99999:7:::

/etc/init.d/bind:

case "$1" in
   start)
     echo -n "Starting domain name service: named" start-stop-daemon --start --quiet \
        --pidfile /var/run/named.pid --exec /usr/sbin/named -- -u named

that last, solo '--' makes sure that '-u named' gets passed to bind.

This isn't incredibly secure, just WAY more secure than the default.

-- 
i'm determined to stand, whether god
will deliver me or not. -- bob dylan

Previous message: [KLUG Members] Re: Why does "Software Morality" differ from the rest?
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]