[Gllug] named
William Palfreman
william at palfreman.com
Fri Jan 25 04:14:19 UTC 2002
On Wed, 23 Jan 2002, will wrote:
> E. R. Vaughan wrote:
>
> > Could you post your /etc/sudoers and /etc/named.conf?
>
>
> I could, but I have solved it! I needed to setuid root on
> /usr/sbin/named. named was unable to open a service on a port < 1024
> without it.
Nononononono! The canonical way to run bind is to have root execute the
following command:
/usr/sbin/named -u binduser -g bindgroup
Make user binduser's login shell /bin/false and make /var/named the only
thing usable by binduser & bindgroup.
You don't want named to be running as root becasue it is wildly insecure
and get exploited very frequently. Obviosly this doesn't matter on your
own box behind a masquarading firewall on you own private network, but
pretty well anywhere else you really don't want to run it as root. If you
specify a -u user and -g group for named it will start, start
listening on UDP port 53, and drop down to the user & group specified.
The other big thing you have to watch for is whatever the correct
production version to use from the ISC is. Last time I administered a
production nameserver Bind 9.1.3 was the latest version, but it was so
unreliable thet real people used 8.x.y (the latest one). Bind 9 may have
improvered in the last 6 months. See what other people are using now.
Regards
Bill.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list