is it safe to chmod +s named?
Jeff Pang
jeff.pang at yahoo.com
Wed Oct 29 10:27:24 UTC 2008
Thanks all.
Will try sudo on it.
--- On Wed, 10/29/08, Adam Tkac <atkac at redhat.com> wrote:
> From: Adam Tkac <atkac at redhat.com>
> Subject: Re: is it safe to chmod +s named?
> To: "Mark Andrews" <Mark_Andrews at isc.org>
> Cc: bind-users at isc.org
> Date: Wednesday, October 29, 2008, 7:15 AM
> On Wed, Oct 29, 2008 at 01:15:58PM +1100, Mark Andrews
> wrote:
> >
> > In message
> <611607.56975.qm at web45312.mail.sp1.yahoo.com>, Jeff
> Pang writes:
> > > Hello,
> > >
> > > I need to let apache start/stop named.
> > > I set: chmod +s named, so httpd (run with nobody)
> can stop/start it.
> > > Is it safe for this behavior? thanks.
> >
> > In general, no. Named is not designed to be run suid
> root.
> > A ordinary user can do all sorts of damage with
> named.
> >
> > I would suggest that you create a wrapper which then
> exec's
> > named with arguements that you deem safe. This
> wrapper can
> > be suid root.
> >
>
> I think this wrapper already exists and is called
> "sudo". I think the best
> solution is allow apache user to run named binary so it can
> be started
> with "sudo named ...". Usage of SUID bit looks
> like bad solution for
> me as Mark wrote.
>
> Adam
>
> --
> Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list