[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] profile of a bind worm

Subject: RE: [cobalt-security] profile of a bind worm
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2001 11:45:38 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tue, 12 Jun 2001, Jabie Gray wrote:

> My named is running as root too.
> I see two instances of the daemon function in the /etc/rc.d/init.d/named
> script. One is for start, the other is for hard restart.
> Do I need to change both of them to use -u & -g options?

Of course. Otherwise one of them will load as u/g named, while the other
as root.

> Do I need to create the user and group of named?

If they don't already exist, yes.

lines as follows:

/etc/passwd:
named:x:25:25:named nonpriviliged account:/etc/named:/bin/false

/etc/group:
named:x:25: 

> Thanks,
> Jabie
> mailto:apollo@xxxxxxxxxx
> 
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kevin D
> Sent: Monday, June 11, 2001 8:30 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] profile of a bind worm
> 
> 
> From: "Robson Martins" <robson@xxxxxxxxxxxxx>
> 
> > Hey all, i have bind-8.2.3 running here, my question is, when i run it
> with
> > start it is the user named but if i restart, it gets the root username, is
> > it a problem? Can i receive a worm with this problem? Named need always
> run
> > as named? Restart is really affecting the username?
> 
> How are you restarting? your /etc/rc.d/init.d/named script should have this
> in the start section:
> 
> daemon named -u named -g named
> 
> Which should start bind as user named if you do this:
> 
> /etc/rc.d/init.d/named stop
> /etc/rc.d/init.d/named start
> 
> Bind running as root is a problem, but less of a problem if you have ver
> 8.2.3. If a new bind vulnerability is discovered for ver 8.2.3, a hacker
> could easily gain root access to your box. What saved me from the worst
> effects of a bind worm was bind running as named instead of root.
> 
> Kevin
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- RE: [cobalt-security] profile of a bind worm
  - From: Jabie Gray

Prev by Date: Re: [cobalt-security] profile of a bind worm
Next by Date: [cobalt-security] RE: cobalt-security digest, Vol 1 #377 - 20 msgs
Previous by thread: Re: [cobalt-security] profile of a bind worm
Next by thread: Re: [cobalt-security] profile of a bind worm

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index