[bind10-dev] Possible suid root on b10-sockcreator
Michal 'vorner' Vaner
michal.vaner at nic.cz
Mon Dec 19 08:32:59 UTC 2011
Hello
On Fri, Dec 16, 2011 at 03:06:52PM -0600, Jeremy C. Reed wrote:
> We need to consider different users/groups for different run-time
> components. A good example is stats-httpd (running on same system)
> should not have privileges to modify zone data stores or configuration
> JSON file.
I wasn't aware of such requirement. But as such, it sounds sane, so we probably
shouldn't make it impossible to do so. Maybe we should add a configuration
option to the components.
But if we support this, we should still support at last one of the ways to
support „everything as a user except for the creator who is root“.
> As an idea bind10 starts as root, and its configurations knows the
> user:group to run each component as. But if bind10 drops its own
> privileges then it can't restart them as desired.
I believe the boss would need to run as root all the time then.
Thanks
With regards
--
Disclaimer: this message may contain information.
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20111219/e28c28b0/attachment.bin>
More information about the bind10-dev
mailing list