[bind10-dev] Privileged socket creation

Shane Kerr shane at isc.org
Fri Jun 25 14:37:07 UTC 2010


On Wed, 2010-06-23 at 23:40 -0400, Danny Mayer wrote:
> On 5/26/2010 8:59 AM, Jeremy C. Reed wrote:
> >> The algorithm for the boss process will be:
> >>
> >>   1. Drop all permissions other than the ability to setuid(), 
> >> chroot(), and bind() to a specific port.
> > 
> > How?
> > 
> > For the sandbox, who is doing the fork()? The bind10 or the 
> > PrivilegedSocketCreator? I can't guess because it doesn't then say child 
> > bind10 will exec the PrivilegedSocketCreator nor does it say that the 
> > first PrivilegedSocketCreator (the parent) will exit. (I think it needs 
> > one or the other.)
> This is really, really bad on windows since there is no equivalent to
> fork(). Usually I like just to replace it with creating a thread but if
> I understand correctly you don't want to use threads and therefore avoid
> having to deal with locking. The problem is one of passing enough
> information to the newly created process. I forget the details but it
> looks like the _spawn() function is able to pass some of the info.

This design is strictly for POSIX systems (and ones that support the
non-standard extension of sending open file descriptors around - which
is every modern POSIX system).

For Windows, we'll need to evaluate not only BIND 10's security model,
but also the whole architecture. My hope is that it will translate
directly across, but I know that Windows is quite different from Unix,
and I'm not a Windows expert.


More information about the bind10-dev mailing list