daemon warning
Reindl Harald
h.reindl at thelounge.net
Tue Jul 1 15:51:31 UTC 2014
Am 01.07.2014 17:46, schrieb Matus UHLAR - fantomas:
>> You need to start named as root for it to be able to chroot. (Unless
>> Solaris has some cunning fine-grained privilege feature I don't know
>> about.)
>
> On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote:
>> Ok so that was not a good troubleshooting technique, was trying to
>> determine what did not have the correct permissions and thus causing the
>> warning. I guess I will go ahead and run it the way I have been for the
>> last 5 years, unless I find it is causing me problems.
>
> For now we have to trust BIND it will properly bind(), chroot() and drop
> privileges...
>
> does anyone know if there's a way to leave these (dropping privileges) to
> other programs, so BIND and similar apps won't have to implement this on
> their own? ... on Linux or other OSes?
>
> (taking care about security of a small program should be easier)
in theory http://www.freedesktop.org/software/systemd/man/systemd.socket.html
that way systemd opens the socket before the daemon is started
which could happen even on-demand and so the systemd-unit could
start the service process from the begin with a low privileged
user - *but* not sure how to deal with chroot in that context
however, we restrict most services like below, giving them only
needed capabilities and make /etc and /usr read-only which
greatly improves security
PrivateTmp=true
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
InaccessibleDirectories=/root
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140701/7ea8aa01/attachment.bin>
More information about the bind-users
mailing list