Hi everyone!
I installed fresh copy of SLES 11SP2x64AMD and I am wonder if BIND daemon is CHROOT’ed as default?
From what I see in the folder /var/lib/named/ few catalogs are set with named:named user
and /etc/group contain named:!:44 user, but my concern is if it require some tweak to make it secure or it is already prepared/chroot’ed and it is ready to use?
I Think I found the answer with previous version
http://www.pcc-services.com/sles/dns2.html
[QUOTE]SLES10, for security reasons, will run the DNS Server in a “chroot jail” that is located at /var/lib/named - this is done in case any security breaches to the DNS server will only result in the DNS Service to be attacked. You can adjust this behavior with the “/etc/sysconf Editor” Yast Module located in the “System” category. Here you can adjust the following DNS options:
NAMED_RUN_CHROOTED - Allows you to disable running the DNS Server within a chroot jail
NAMED_ARGS - Additional options you can add when starting the DNS Server.
NAMED_CONF_INCLUDE_FILES - Any additional files you may need have copied to the chroot jail when named is started.
NAMED_INITIALIZE_SCRIPTS - Any scripts that you want to be ran when the DNS Server is (re)Started can be listed here.
[/QUOTE]
On 06/22/2012 02:24 PM, MTerlik wrote:[color=blue]
Hi everyone!
I installed fresh copy of SLES 11SP2x64AMD and I am wonder if BIND
daemon (9.6-ESV-R5-P1) is CHROOT’ed as default?
From what I see in the folder /var/lib/named/ few catalogs are set with
named:named user
and /etc/group contain named:!:44 user, but my concern is if it require
some tweak to make it secure or it is already prepared/chroot’ed and it
is ready to use?[/color]
The directories that named:named in /var/lib/named are set that way because they
could receive dynamic updates (e.g. the dyn directory)… as you mentioned, it
runs chrooted as the user named… so the perms are open in areas where named
needs to write.