Re: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind

From: Roman Shterenzon (roman@xpert.com)
Date: 01/31/01 

Date: Wed, 31 Jan 2001 23:55:18 +0200 (IST)
From: Roman Shterenzon <roman@xpert.com>
To: <freebsd-security@freebsd.org>

On Wed, 31 Jan 2001, FreeBSD Security Advisories wrote:

> =============================================================================
> FreeBSD-SA-01:18 Security Advisory
>
> Topic: BIND remotely exploitable buffer overflow
..snip..
>
> There is no known practical workaround to prevent the vulnerability
> from being exploited, short of upgrading the software. A partial
> workaround to limit the impact of the vulnerability should it be
> exploited is to run named as an unprivileged user.
>
> Add the following line to /etc/rc.conf:
>
> named_flags="-u bind -g bind" # Flags for named
>
> Add the following line to your /etc/namedb/named.conf file, in the
> "options" section:
>
> pid-file "/var/named/named.pid";
>
> See the named.conf(5) manual page for more details about configuring
> named.
>
> Perform the following commands as root:
>
> Create a directory writable by the bind user where named can store its
> pid file:
>
> # mkdir /var/named
> # chown bind:bind /var/named
>
> Use of the -t option to named will also increase security when run as
> a non-privileged user by confining the named process to a chroot
> environment and thereby partially limiting the access it has to the
> rest of the system. Configuration of these options is beyond the
> scope of the advisory. The following website contains information
> which may be useful to administrators wishing to perform this step:
>
> http://www.losurs.org/docs/howto/Chroot-BIND.html
>

Why not make it default in the base system?

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message