Bind User - Group ?
Karl Pielorz
kpielorz at tdx.co.uk
Mon Apr 3 13:22:23 UTC 2000
Matthew Thompson wrote:
>
> I thought that this was generally frowned upon as most Unixes (Unixi?)
> require a daemon to run as root in order to have access to ports below 1024.
>
> Or am I getting confused?
>
> M at t :o)
>
> > how can i let bind run an non root ? i have greated user and
> > group named
> > and now i start named with the -u -g comand. all the files
> > named is using
> > are
> > owned by root. is this ok or should i change it ?
AFAIK it switches _after_ it's got the port it needs... We run it here fine
with named running as user 'bind', group 'bind'. You do have to be careful on
permissions for files (use common sense - i.e. zones have to be writeable by
named, configs may be safer if their not etc.)
This isn't a "true sandbox" we run it in here (i.e. chroot jail) so in theory
named could still be coerced into doing things (like reading files outside the
directory it was started in) - but it's probably / hopefully better than
keeing named running as root...
If you search around the net, there are a number of documents about setting
named up like this, and taking it further to create an entire chroot'd "jail"
for it to run in (which in theory it can't escape from)...
-Kp
More information about the bind-users
mailing list