Today, Marc Evans gleaned this insight:
> People should really consider running daemons like named in a chroot'ed
> environemnt (see http://www.psionic.com/papers/dns/ for example). You
> should also consult the INSTALL file in the source distribution, which
> discusses the -u, -g and -t options:
>
> User and Group ID
>
> Specifying "-u" followed by a username or numeric user id on the
> "named" command line will cause the server to give up all
> privileges and become that user after the initial load of the
> configuation file is complete. "-g" may be used similarly to set
> the group id. If "-u" is specified but "-g" is not, the group
> used will be the given user's primary group.
>
> Chroot
>
> "-t" followed by a directory path on the "named" command line will
> cause the server to chroot() to that directory before it starts
> loading the configuration file.
>
Cool. I didn't know you could do this. I new this was possible in theory
but I didn't know the code was already in there. I've got named running as
user named now, and named has no ownership of any files on the system.
Does anyone know of any potential implications of this (i.e. named not
being able to write to files it needs to write to)?
This is a master server only, so I am not requesting any zone transfers.
Therefore I don't need to worry about being able to write to slave zone
files. But are there others that it may need to write to (i.e. to which
it does not already have access prior to changing user)?
Preliminary testing suggests that this is working fine.
Thanks for the tip Marc.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
