[bind10-dev] Possible suid root on b10-sockcreator
Jeremy C. Reed
jreed at isc.org
Tue Dec 20 14:38:55 UTC 2011
On Tue, 20 Dec 2011, Michal 'vorner' Vaner wrote:
> > > - No need to become completely root to start it.
> So, there are two things ? I need to switch to root and then tell the
> software to switch back. With setuid, I'd simply write:
> vorner at hydra ~/bind10 $ ./sbin/bind10
We should be root regardless of setuid. It should certainly not allow
setuid for arbitrary users. In is standard and accepted that privileged
operations to be started by privileged user, root.
Also I don't know of any kernels that allow setuid scripts (due to
potential problem of code getting replaced after execution time).
> The other is, we don't have any --daemon or --no-daemon flags. If we
> want to run as a daemon, we do something like:
> nohup ./sbin/bind10 >/dev/null 2>&1 &
>
> Simply, bind10 runs DNS, it's not its goal to daemonize, there are
> tools for that.
The tools aren't consistent. And "bind10" does not run DNS (in fact it
could be configured to do DHCP or do nothing). I think its goal should
be to daemonize. (I started a different email thread about this.)
More information about the bind10-dev
mailing list