daemon warning

[Reindl Harald]

Am 01.07.2014 17:46, schrieb Matus UHLAR - fantomas:
>> You need to start named as root for it to be able to chroot. (Unless
>> Solaris has some cunning fine-grained privilege feature I don't know
>> about.)
> 
> On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote:
>> Ok so that was not a good troubleshooting technique, was trying to
>> determine what did not have the correct permissions and thus causing the
>> warning.  I guess I will go ahead and run it the way I have been for the
>> last 5 years, unless I find it is causing me problems.
> 
> For now we have to trust BIND it will properly bind(), chroot() and drop
> privileges...
> 
> does anyone know if there's a way to leave these (dropping privileges) to
> other programs, so BIND and similar apps won't have to implement this on
> their own? ... on Linux or other OSes?
>  
> (taking care about security of a small program should be easier)

in theory http://www.freedesktop.org/software/systemd/man/systemd.socket.html

that way systemd opens the socket before the daemon is started
which could happen even on-demand and so the systemd-unit could
start the service process from the begin with a low privileged
user - *but* not sure how to deal with chroot in that context

however, we restrict most services like below, giving them only
needed capabilities and make /etc and /usr read-only which
greatly improves security

PrivateTmp=true
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
InaccessibleDirectories=/root


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140701/7ea8aa01/attachment.bin>