is it safe to chmod +s named?

Adam Tkac atkac at redhat.com
Wed Oct 29 11:15:29 UTC 2008


On Wed, Oct 29, 2008 at 01:15:58PM +1100, Mark Andrews wrote:
> 
> In message <611607.56975.qm at web45312.mail.sp1.yahoo.com>, Jeff Pang writes:
> > Hello,
> > 
> > I need to let apache start/stop named.
> > I set: chmod +s named, so httpd (run with nobody) can stop/start it.
> > Is it safe for this behavior? thanks.
> 
> 	In general, no.  Named is not designed to be run suid root.
> 	A ordinary user can do all sorts of damage with named.
> 
> 	I would suggest that you create a wrapper which then exec's
> 	named with arguements that you deem safe.  This wrapper can
> 	be suid root.
> 

I think this wrapper already exists and is called "sudo". I think the best
solution is allow apache user to run named binary so it can be started
with "sudo named ...". Usage of SUID bit looks like bad solution for
me as Mark wrote.

Adam

-- 
Adam Tkac, Red Hat, Inc.


More information about the bind-users mailing list