chroot jail question..
Mark Andrews
Mark_Andrews at isc.org
Tue Aug 16 23:23:19 UTC 2005
> blrmaani wrote:
>
> >I was under the impression that UNIX processes started
> >as a root process can access ports upto 10XX.
> >
> Superuser processes can access all ports.
>
> >When I ran BIND
> >in chroot jail
> >
> Chroot has no bearing on this.
>
> >( user=named, group=named), the named process can
> >still access default port=53 and default control port=953.
> >
> 53 = DNS (Internet protocol)
> 953 = rndc (proprietary BIND protocol)
>
> >How does this work?
> >
> It bound to those ports before it dropped its superuser privileges. Note
> that it cannot bind to any *new* address/port combinations, which could
> be a problem if you have interfaces appearing dynamically.
Unless you are running Linux where named preserves the ability
to bind to reserved ports (see capabilities) or you have one
of the OS's which support some sort of port based acl and have
configured the acl appropriately.
Mark
> - Kevin
>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list