On Thu, 24 Oct 2002, Paul Sladen wrote: > On Wed, 23 Oct 2002, Burak wrote: > > What is the risks to set S_CAPS="CAP_SYS_RESOURCE" > > The interesting point is that I've never run into this problem! > I run Bind on several of my vservers--without the extra CAP_SYS_RESOURCE > capabilities--and haven't experienced any problems. Having said that, these > will all be the standard Debian shipments and I haven't looked into the > issue more deeply, as to versions, or whether there are patches involved.
With todays security alerts on Bind4 -> Bind8 I decided to upgrade by boxes to Bind9; and I did indeed hit this problem when trying to run Bind9 under vservers. To quote Ellen Feiss: ``It was like ... a bummer.'' So, recompiling Bind9 with: ./configure --disable-linux-caps fixes this stupidity. Curse the bind8 exploits, curse the maintainers who leave --enable-linux-caps on by default and curse the ISC coders for putting it in there in the first place! :-) Other than that, Bind9 is a drop-in config-compatible replacement for Bind8. For those (like me) like me running Debian vservers who don't want to wait for the Debian security updates; or just plain want to run Bind9 under vservers, the following may be useful: Add these lines to your `/etc/apt/sources.list' deb http://www.paul.sladen.org/debian woody/updates main deb-src http://www.paul.sladen.org/debian woody/updates main Then, the usual: apt-get update apt-get install bind9 Answer `N' to the config file question (it's a drop-in so you can keep the existing `/etc/bind/named.conf'). Or to "dpkg -i" the .debs directly the hard-way you seem to need the following: http://www.paul.sladen.org/debian/bind9.nocapset/libisccc0_9.2.1-2.woody.1.nocapset_i386.deb http://www.paul.sladen.org/debian/bind9.nocapset/libisccfg0_9.2.1-2.woody.1.nocapset_i386.deb http://www.paul.sladen.org/debian/bind9.nocapset/bind9_9.2.1-2.woody.1.nocapset_i386.deb Apologies for not having pre-built binaries for sparc and powerpc, or if you don't have Debian! ;-) -Paul PS. E&OE. Make a backup before you blame me. Rants about dodgey packages to me. Rants about Debian --enable-linux-caps policy to Bdale Garbee. -- Nottingham, GB
