Running the Name Server as a User Other than Root

7.9.1 Problem

You want to run a name server as a user other than root, so a hacker successfully breaking in through the named process doesn't have access to the host as root.

7.9.2 Solution

Add a passwd file entry for a new user; the only function of this file is to run the name server. Call this user something descriptive, such as bind or named. A passwd entry for a bind user might look like this:

bind:*:53:53:BIND name server:/:/bin/nologin

Optionally, add a group file entry for a new group, which this new user and any other users who are authorized to edit zone data file will belong to.

Adjust the ownership and permission of files and directories to make sure that this user (and group, if you created one) can:

  • Read, write and execute (search) named's working directory
  • Read and write all zone data files
  • Write to the /var/run directory (unless you've used the pid-file options substatement to change the PID file's path)

Once you've modified the environment as needed, start named with the -u command-line option, specifying as the option's argument the name or user ID of the user to run as. The first time you do it, check named's syslog output for any startup errors caused by permission problems. Once named starts cleanly, add the -u option to your system's startup scripts.

7.9.3 Discussion

Note that, as long as named is configured to listen on port 53, the default port, it must be started by root, since port 53 is a privileged port. The -u option simply tells it to give up root privilege as soon as it's done what it needs to do as root.

As Section 7.8 says, name servers that run in a chroot( ) environment normally run as a non-root user, too, to prevent hackers from escaping the chroot( ) jail.

BIND 8 name servers also support a -g command-line option to set the name server's group ID. If -g isn't specified, the name server changes group to the primary group of the user specified in the -u option. BIND 9 name servers don't support -g, and always change group to the primary group of the user named in -u.

On a BIND 8 name server, you may also need to change the group membership and permissions of the ndc Unix domain socket in order to allow users in the bind group to write to it.

7.9.4 See Also

Section 1.21 for editing startup scripts, Section 7.8 for running a name server in a chroot( ) environment, and "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration

Security

Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting

IPv6



DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net