Running BIND server 'named' as a different user on Solaris 10

The named process is started by root and thus inherits roots privileges, as were traditionally needed, to access the DNS communication channel (port 53). BIND administrators know the named command accepts a -u username option which causes the process to switch user attributes after opening privileged interfaces. The idea being that should the service be compromised the effective user is not all powerful.

In the Solaris 10 Operating Environment the process privilege model, privileges(5), allows for a more fine-grained control. Coupled with the Service Management Facility, smf(5), services may inherit less privileges and alternative user process and group identities at start-up. Therefore under the Solaris 10 OE named may be configured at start to run with an alternative user identity making the -u option superfluous.

To have the BIND server named start with an alternative user identity and group under the Solaris 10 OE complete the following steps:

1. Add the user to the solaris.smf.manage.bind role

# usermod -A solaris.smf.manage.bind dnsadmin
# tail -1 /etc/user_attr
dnsadmin::::type=normal;auths=solaris.smf.manage.bind
#

Without this role the server, named, will be unable to manage it's SMF FMRI and named will automatically be restarted by SMF after an rndc stop or halt command. As indicated by the syslog message "error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action"

2. Modify the service properties

# svccfg
svc:> select svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/user = dnsadmin
svc:/network/dns/server:default> setprop start/group = dnsadmin
svc:/network/dns/server:default> exit
# svcadm refresh svc:/network/dns/server:default
# svcadm restart svc:/network/dns/server:default

3. Specify an alternative location for the pid-file

As only root has write access to create the default pid-file; /var/run/named.pid named must be configured to use an alternative path. For Example:

# mkdir /var/named/tmp
# chown dnsadmin /var/named/tmp # head /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/tmp/named.pid";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
#

Updated 25 Feb 2009 with instructions on how to add user to authority.

Posted on: Sep 18, 2007

Posted by: ace

Category: BIND

Tags:

Permanent link to this entry

Comments:

Good stuff. You may also want to check out the Center for Internet Security BIND Security Benchmark at http://www.cisecurity.org/bench_bind.html. It includes recommendations such as these as well as security recommendations more specific to the BIND software.

Posted by Glenn Brunette on September 18, 2007 at 02:41 PM GMT+00:00 #

Are there any plans to make BIND start up using a non-root configuration by default on Solaris?

Posted by Andrew on September 18, 2007 at 06:26 PM GMT+00:00 #

Cool stuff. The most important hint was about the pid file.

If running dns with a different user than it makes sense that root owns the config files and the dns has only read permissions.

Rob

Posted by Robert Kriz on September 29, 2007 at 11:11 PM GMT+00:00 #

Andrew asked: "Are there any plans to make BIND start up using a non-root configuration by default on Solaris?"

There is an open RFE requesting that, lets see what the future brings.

Posted by Stacey Marshall on October 12, 2007 at 09:26 AM GMT+00:00 #

Post a Comment:
Comments are closed for this entry.

This blog copyright 2009 by ace