I've just setup bind 9.2.4 on my freebsd box. The bind service is currently running as root. Is that okay? I looked into running it in a "sandbox" (read the freebsd handbook) but when I tried it I ended up with the old version running (version 8 that is installed with the OS).
My main question is it is a problem running bind as root? What does the roller network do?
Thanks
BIND question
Moderator: Moderators
-
- Site Admin
- Posts: 598
- Joined: Wed Nov 17, 2004 10:05 pm
- Location: Nevada
- Contact:
Historically, BIND has had security issues which prompt installations as a non-root user. The BIND 9 series is a rewrite which much better security than its predecessors, but its reputation remains. That said, it's never a bad idea to run major services like DNS in a sandbox or jail to limit impact of an exploited service. It's still possible for someone to break out of one, it's just a bit harder. Running as a non-root user but not creating a jail/sandbox is a quick fix that might only require some file permission changes (named -n).
Right now the Roller Network is running BIND as a non root user, but not within a jail or sandbox. The dameon process that listens for updates also runs as the same user, and since it's Perl it has taint checking enabled. Since BIND has a reputation as being insecure, my feeling is that people will still try to exploit it, regardless of version. So it's probably a good idea to avoid running it as root.
Right now the Roller Network is running BIND as a non root user, but not within a jail or sandbox. The dameon process that listens for updates also runs as the same user, and since it's Perl it has taint checking enabled. Since BIND has a reputation as being insecure, my feeling is that people will still try to exploit it, regardless of version. So it's probably a good idea to avoid running it as root.
Technical Support support@rollernet.us
Roller Network LLC
Roller Network LLC
Thanks for the reply. You know what you're talking about
After a bit of reading I got bind working in a sandbox.
I used the information here:
http://www.freebsd.org/doc/en_US.ISO885 ... ED-SANDBOX
I needed to modify it a bit as I compiled my own version of bind 9 (and didn't use the installed version with freebsd).
So hopefully it should be all happy now.
If only I had a static IP address, then I really could host my own DNS :p
After a bit of reading I got bind working in a sandbox.
I used the information here:
http://www.freebsd.org/doc/en_US.ISO885 ... ED-SANDBOX
I needed to modify it a bit as I compiled my own version of bind 9 (and didn't use the installed version with freebsd).
So hopefully it should be all happy now.
If only I had a static IP address, then I really could host my own DNS :p