Subject: Re: pkg/14876
To: None <email@example.com, firstname.lastname@example.org, email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 03/17/2005 18:10:02
The following reply was made to PR pkg/14876; it has been noted by GNATS.
From: "Greg A. Woods" <email@example.com>
NetBSD Bugs and PR posting List <netbsd-bugs@NetBSD.ORG>,
NetBSD GNATS submissions and followups <firstname.lastname@example.org>
Subject: Re: pkg/14876
Date: Thu, 17 Mar 2005 13:09:11 -0500 (EST)
[ On Thursday, March 17, 2005 at 15:42:36 (+0000), email@example.com wrote: ]
> Subject: Re: pkg/14876
> Synopsis: named should never run as root, at least not by default
> State-Changed-From-To: open->closed
> State-Changed-By: firstname.lastname@example.org
> State-Changed-When: Thu, 17 Mar 2005 15:42:36 +0000
> I want the BIND 9 package to be a drop in replacement for the name server
> in NetBSD's base distribution. It will therefore use the same defaults.
> If you want this to get change (which is probably a good idea) submit
> a PR against NetBSD's default settings in "/etc/defaults/rc.conf".
If you care to look at /etc/rc.d/named on any modern system (including
1.6), you'll find that '-u named' is always passed to named.
However pkgsrc is intended to run on non-modern systems, and non-NetBSD
systems, so its own rc.d script for net/bind8 and net/bind9 should mimic
the same behaviour.
I.e. you of all people need to remember that pkgsrc is not NetBSD
specific and making the BIND-9 package a secure way to install and use
BIND-9 on other systems must also be a requirement.
Finally if you look at some of the changes I submitted you'll find they
are NECESSARY if bind9 is ever to start properly and securely as a
non-root user on any system where root blindly trusts the content of
/var/run files (e.g. NetBSD). I.e. at least some of the changes I
submit are critically necessary if the native rc.d script is used!
(Note that the BIND developers feel the security issues related to
having a /var/run that's writable by the user and/or group an attacker
would gain access to by successfully exploiting named is a
system-specific issue and not one germane to BIND itself.)
And BTW, BIND-9 cannot currently be a clean drop-in replacement for the
NetBSD nameserver. It's impossible as they have very different
configuration requirements. Anyone who thinks they can get away with a
pkg_add of BIND-9 and a restart is fooling themselves to the point of
causing harm (to their system). At the moment a "drop-in" replacment
could only be possible with BIND-8.
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <email@example.com>
Planix, Inc. <firstname.lastname@example.org> Secrets of the Weird <email@example.com>