Enable systemd hardening options for named
Tony Finch
dot at dotat.at
Mon Jan 15 18:15:42 UTC 2018
Ludovic Gasc <gmludo at gmail.com> wrote:
>
> 1. The list of minimal capabilities needed for bind to run correctly:
> http://man7.org/linux/man-pages/man7/capabilities.7.html
named already drops capabilities - have a look at the code around here:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/unix/os.c;hb=v9_11_2#l234
Note that it's a bit clever - the privileges are dropped in two stages,
right at the start, and after the server has been configured.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Southeast Iceland: Westerly 6 to gale 8, veering northwesterly 4 or 5 later,
occasionally severe gale 9 at first in south. Very rough in north, otherwise
high, occasionally very high in far south. Snow showers. Good occasionally
poor.
More information about the bind-users
mailing list