Tuesday September 18, 2007 
Recent Entries
- test
- Solaris x86 for the beginner: Videos
- I'm it!
- Running BIND server 'named' as a different user on Solaris 10
- BIND 9.3.4-P1 available with Solaris 10
- Live Upgrade over VPN
- Fun Family Camping in the Netherlands
- Default beep be gone - more xorg.conf
- Solaris x86 for the beginner: Xorg
- Solaris x86 for the beginner: Initial tweaks
Today's Page Hits: 64
Tuesday September 18, 2007 The named process is started by root and thus inherits roots privileges, as were traditionally needed, to access the DNS communication channel (port 53). BIND administrators know the named command accepts a -u username option which causes the process to switch user attributes after opening privileged interfaces. The idea being that should the service be compromised the effective user is not all powerful.
In the Solaris 10 Operating Environment the process privilege model, privileges(5), allows for a more fine-grained control. Coupled with the Service Management Facility, smf(5), services may inherit less privileges and alternative user process and group identities at start-up. Therefore under the Solaris 10 OE named may be configured at start to run with an alternative user identity making the -u option superfluous.
To have the BIND server named start with an alternative user identity and group under the Solaris 10 OE simply modify the following service properties:
# svccfg
svc:> select svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/user = dnsadmin
svc:/network/dns/server:default> setprop start/group = dnsadmin
svc:/network/dns/server:default> exit
# svcadm refresh svc:/network/dns/server:default
# svcadm restart svc:/network/dns/server:default
In addition you will also have to specify an alternative location for the pid-file as only root has write access to create the default pid-file; /var/run/named.pid. For Example:
# mkdir /var/named/tmp
# chown dnsadmin /var/named/tmp # head /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/tmp/named.pid";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
#
Post a Comment:
Comments are closed for this entry.
Good stuff. You may also want to check out the Center for Internet Security BIND Security Benchmark at http://www.cisecurity.org/bench_bind.html. It includes recommendations such as these as well as security recommendations more specific to the BIND software.
Posted by Glenn Brunette on September 18, 2007 at 02:41 PM GMT+00:00 #
Are there any plans to make BIND start up using a non-root configuration by default on Solaris?
Posted by Andrew on September 18, 2007 at 06:26 PM GMT+00:00 #
Cool stuff. The most important hint was about the pid file.
If running dns with a different user than it makes sense that root owns the config files and the dns has only read permissions.
Rob
Posted by Robert Kriz on September 29, 2007 at 11:11 PM GMT+00:00 #
Andrew asked: "Are there any plans to make BIND start up using a non-root configuration by default on Solaris?"
There is an open RFE requesting that, lets see what the future brings.
Posted by Stacey Marshall on October 12, 2007 at 09:26 AM GMT+00:00 #