[KLUG Members] DNS question
Peter Buxton
members@kalamazoolinux.org
Sat, 2 Feb 2002 20:26:11 -0500
On Sun, Jan 20, 2002 at 04:19:01PM -0500, Adam Williams was only
escaped alone to tell thee:
> BIND, as default, no longer runs as root so I think some of the early
> horror stories would be much harder to duplicate. But I'd wager DOS is
> still possible.
I'm interested in djbdns, but would have to read the docs and all -- no
huge problem, just an afternoon's work I haven't put aside yet. Debian
doesn't have djbdns_x.x.x.deb, sadly. And why compile a more secure
named if I don't read the docs and install it correctly and securely?
Debian's BIND ends up running as root, wierdly. For those at home, make
the following changes:
/etc/passwd: named:x:107:107:bind daemon:/:/bin/sh
/etc/group: named:x:107:
/etc/shadow: named:!:11677:0:99999:7:::
/etc/init.d/bind:
case "$1" in
start)
echo -n "Starting domain name service: named" start-stop-daemon --start --quiet \
--pidfile /var/run/named.pid --exec /usr/sbin/named -- -u named
that last, solo '--' makes sure that '-u named' gets passed to bind.
This isn't incredibly secure, just WAY more secure than the default.
--
i'm determined to stand, whether god
will deliver me or not. -- bob dylan