Enable systemd hardening options for named

Ludovic Gasc gmludo at gmail.com
Mon Jan 15 23:16:51 UTC 2018

First, thank you a lot everybody, I didn't think to have several detailed
e-mails like that.
I need now to merge all of your ideas and a propose a new version of the
config file.

However, I answer first to Tony, because I have a remark below:

2018-01-15 19:15 GMT+01:00 Tony Finch <dot at dotat.at>:

> Ludovic Gasc <gmludo at gmail.com> wrote:
> >
> > 1. The list of minimal capabilities needed for bind to run correctly:
> > http://man7.org/linux/man-pages/man7/capabilities.7.html
> named already drops capabilities - have a look at the code around here:
> https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=
> blob;f=bin/named/unix/os.c;hb=v9_11_2#l234
> Note that it's a bit clever - the privileges are dropped in two stages,
> right at the start, and after the server has been configured.

One of motivation behind systemd is to have all daemonization features
(start in root and drop rights to run with a normal user, chroot,
background processes...) outside the daemon itself to reduce the security
risk, share the same code for daemonization and reduce the complexity of
each daemon.
In the specific case of bind, it already has these features and bind runs
on OS where you don't have systemd.

As you said, I don't think it hurts if it's done two times, I don't yet, I
will experiment.

> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h
> punycode
> Southeast Iceland: Westerly 6 to gale 8, veering northwesterly 4 or 5
> later,
> occasionally severe gale 9 at first in south. Very rough in north,
> otherwise
> high, occasionally very high in far south. Snow showers. Good occasionally
> poor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180116/a4199659/attachment-0001.html>

More information about the bind-users mailing list