Debian Bug report logs - #50013
bind: bind should not run as root.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pierre Blanchet <blanchet@cvf.fr>

To: submit@bugs.debian.org

Subject: bind: bind should not run as root.

Date: Fri, 12 Nov 1999 15:23:09 +0100

Package: bind
Version: 1:8.2.2-3
Severity: wishlist

	Acording to security experts, bind should not run as root (and should run chrooted). The documentation is not very clear on why and how one may achieve this.
	I'm not really an expert, and i don't really know how this can be done in a debian point of view (postinst creating an user or just a note in README.Debian, ...).

	Thanks,

--
	Pierre Blanchet.
Pierre.Blanchet@cvf.fr

Message #10 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Pierre.Blanchet@cvf.fr

To: 50013@bugs.debian.org

Subject: bind: bind should not run as root.

Date: Fri, 12 Nov 1999 16:06:34 +0100

	You can find more information on how this can be done (non-root 
user + chroot) here :

	http://lwn.net/lwn/980611/chrootbind.html	

	Pierre Blanchet

Message #15 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Pierre Blanchet <blanchet@cvf.fr>, 50013@bugs.debian.org

Subject: Re: Bug#50013: bind: bind should not run as root.

Date: Sun, 14 Nov 1999 04:10:00 -0700

In article <E11mHbe-0002R3-00@mail.cvf.fr> you wrote:

> Acording to security experts, bind should not run as root (and should run 
> chrooted).

Opinions differ about running non-root.  I'm not convinced it's a good idea.

Running chroot'ed is probably a good idea, and will probably be implemented
in Debian in a future upload.

Bdale

Message #20 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Remco van de Meent <remco@debian.org>

To: 50013@bugs.debian.org

Subject: Re: Bug#50013: bind: bind should not run as root.

Date: Mon, 15 Nov 1999 11:24:40 +0100

Hi,

I'd like to add a few comments on this issue.

> > Acording to security experts, bind should not run as root (and should
> > run chrooted).
> 
> Opinions differ about running non-root.  I'm not convinced it's a good
> idea.

Could you give me a pointer to more information on this subject? I'm not
*that* into named security, but this is the first time I hear
someone actually object against running named unpriviledged...

If you don't want to run named by an unpriviledged user by default, maybe
you can add a question about it in .postinst and let the user decide whether
he wants it? At the moment there is no named user in /etc/{passwd,shadow}
and no named group in /etc/shadow, and IMHO this should change. Or will some
things break when running named as non-root?

> Running chroot'ed is probably a good idea, and will probably be
> implemented in Debian in a future upload.

Using a chroot-jail certainly will be a gain in security, but it is far from
a total solution to any security problem. Breaking out of a chroot()'ed
environment isn't impossible, and when you're able to do that, and named
runs as root....

I hope you will at least make it an option to the user to run named as
non-root.


Thanks,

 -Remco

Message #25 received at 50013@bugs.debian.org (full text, mbox, reply):

From: bdale@gag.com (Bdale Garbee)

To: 50013@bugs.debian.org

Subject: README.Debian updated

Date: Sat, 27 Nov 1999 15:21:40 -0700 (MST)

I'm updating README.Debian to include a pointer to a site explaining how to 
set up a chroot, and to include information about running non-root and why
we don't do it as default.

I'll leave this bug open at severity wishlist on the off chance I someday 
feel inspired to support more than one configuration option through debconf
or something.

Bdale

Message #34 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lunn <jeremy@austux.net>

To: 50013@bugs.debian.org

Subject: Prompt user to run as non-root

Date: Mon, 27 Nov 2000 15:41:37 +1100

I have just been reading the bug reports on this issue and first of all
I think it's pretty important that bind runs as non-root, paritcurly
after some of the root exploits it's had in the past.  Could debconf
prompt the user to run as non-root (default to yes) but warn them of the
problems?  I am sure that the problems it causes would only affect a
minority of bind users.

Also I think it should prompt to be run in a chroot jail.  Would it be
possible to have a seperate package for this and have it statically
linked to the libarries?  Of course if it's going to run in a chroot it
has to be non-root, otherwise it's pretty easy to break out of the jail.

-- 
Jeremy Lunn
Melbourne, Australia
GnuPG Public Key: http://www.austux.net/jeremy.gpg
Finger jeremy@austux.net for more details

Message #39 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Jeremy Lunn <jeremy@austux.net>, 50013@bugs.debian.org

Subject: Re: Bug#50013: Prompt user to run as non-root

Date: 26 Nov 2000 22:03:06 -0700

jeremy@austux.net (Jeremy Lunn) writes:

> I have just been reading the bug reports on this issue 

Thanks for your inputs.  The BIND packages will be substantially reworked once
9.1 is released, and I plan to address at least some of the possible options
then.

Bdale

Message #46 received at 50013@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@madduck.net>

To: debian-security@lists.debian.org

Cc: 50013@bugs.debian.org

Subject: Re: default security

Date: Tue, 15 Jan 2002 13:51:32 +0100

[Message part 1 (text/plain, inline)]

also sprach Javier Fernández-Sanguino Peña <jfs@computer.org> [2002.01.15.1316 +0100]:
> > Debian being what it is, are there any reasons why the debian bind 
> > package should not be chroot as the default instalation?
> 
> 	RTFM. That is:
> http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-sec-bind
> 
> 	:) 

well, first of all, this document refers to a bug, #50013 (to which this
is CCd). in the bug, the argument comes up that "opinions differ from
running bind non-root". but a chroot jail is advised.

i'd love to know just why you'd ever run bind as root, even in a jail.
if i have root rights in a jail, i'll break out of the jail within
minutes (e.g. [1]).

second, why would you *need* bind running as root?

and thirdly, please check the threads at [2] and [3] if you are
interested in a discussion on bind9 and chroot.

> > One thing that might be a good idea, would be a security review of the 
> > main debian packages. It's probably beeing done for some already, but I 
> > would guess a lot of debian packages could benefit from even stricter 
> > default setups. For example, maybe libsafe should be default inn all 
> > installs.
> 
> 	Agreed. Feel free to point to better security measures in the
> Default installation and document them, once done it is a major point of
> pressure to change Debian policy.

running non-root *and* chrooting.

> 	Debian could provide, with only some effort from package
> maintainers versions of daemons chrooted to given environments. This
> however, might break Policy (IMHO).

how would it break policy?

  1. http://www.bpfh.net/simes/computing/chroot-break.html
  2. http://lists.debian.org/debian-devel/2001/debian-devel-200109/msg01393.html
  3. http://lists.debian.org/debian-devel/2002/debian-devel-200201/msg01001.html

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
above all, we should not wish to divest
our existence of its rich ambiguity.
                                                          -- nietzsche

[Message part 2 (application/pgp-signature, inline)]

Message #51 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: debian-security@lists.debian.org, 50013@bugs.debian.org

Subject: Re: default security

Date: Thu, 7 Mar 2002 10:54:48 +0100

On Tue, Jan 15, 2002 at 01:51:32PM +0100, martin f krafft wrote:
> 
> > 	Debian could provide, with only some effort from package
> > maintainers versions of daemons chrooted to given environments. This
> > however, might break Policy (IMHO).
> 
> how would it break policy?

(sorry, catching up with posts)

	Policy would be broken because a chroot installation would need
all the libraries, configuration files, etc... that the service needed
to be placed in a given fixed location 
(for example /usr/lib/named/etc, /usr/lib/named/var/{log,run})
This defeats the FHS and also one of Debian's primary assumptions
(all configuration files in /etc for example) on which the policy is
based.
	This also makes it more difficult for package maintainance,
how do I propagate changes from dynamic libraries to chrooted services?
Of course, if the service is able to chroot itself (example is bind's
-t flag or proftp's anonymous chrooted environment) this is less of an
issue since you can run it properly and
just need config, log, data and pid files in the chrooted environment.

	Regards



	Javi

Message #56 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Xeno Campanoli <xeno@eskimo.com>

To: Javier Fernández-Sanguino Peña <jfs@computer.org>

Cc: debian-security@lists.debian.org, 50013@bugs.debian.org

Subject: Re: default security

Date: Thu, 07 Mar 2002 10:04:04 -0800

Javier Fernández-Sanguino Peña wrote:
> 
> On Tue, Jan 15, 2002 at 01:51:32PM +0100, martin f krafft wrote:
> >
> > >     Debian could provide, with only some effort from package
> > > maintainers versions of daemons chrooted to given environments. This
> > > however, might break Policy (IMHO).
> >
> > how would it break policy?
> 
> (sorry, catching up with posts)
> 
>         Policy would be broken because a chroot installation would need
> all the libraries, configuration files, etc... that the service needed
> to be placed in a given fixed location
> (for example /usr/lib/named/etc, /usr/lib/named/var/{log,run})
> This defeats the FHS

He's referring to the Debian Filesystem Hierarchy Standard, which I keep
having to re-look-up, so here's the link if anyone else wants to, as
found on Google:

	http://www.pathname.com/fhs/

> and also one of Debian's primary assumptions
> (all configuration files in /etc for example) on which the policy is
> based.
>         This also makes it more difficult for package maintainance,
> how do I propagate changes from dynamic libraries to chrooted services?
> Of course, if the service is able to chroot itself (example is bind's
> -t flag or proftp's anonymous chrooted environment) this is less of an
> issue since you can run it properly and
> just need config, log, data and pid files in the chrooted environment.
> 
>         Regards
> 
>         Javi
> 
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
http://www.eskimo.com/~xeno
xeno@eskimo.com
Physically I'm at:  5101 N. 45th St., Tacoma, WA, 98407-3717, U.S.A.

Message #65 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: 50013@bugs.debian.org

Subject: Is bind (v8) going to be change to runs as 'bind' user?

Date: Thu, 11 Jan 2007 20:24:00 +0100

[Message part 1 (text/plain, inline)]

Bind version 8, as shipped in Debian, still runs as superuser by default.
Since Bind version 9 does not do so any longer (#149059), and has been
shipped with a non-root default for quite some time already (almost 4 years!)
isn't it time bind8 was changed too?

Regards

Javier

PD: The patch in #157245 might need to be revised, since it does not include
the code to create the user on postinst. It might be useful to
review the "Creating users and groups for software daemons" section in the
Securing Debian Manual for sample code:
http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s-bpp-lower-privs

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Tomasz Chmielewski <mangoo@wpkg.org>

To: 50013@bugs.debian.org

Subject: Re: bind: bind should not run as root.

Date: Tue, 01 Apr 2008 14:52:12 +0200

Well, an almost 10 year-old bug.

bind 9 runs as a non-root user already:

# ps u -C named
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
bind       780  0.0 17.2  20092  5156 ?        Ss   Mar13   0:00 
/usr/sbin/named -u bind
bind       781  0.0 17.2  20092  5156 ?        S    Mar13   0:01 
/usr/sbin/named -u bind
bind       782  0.4 17.2  20092  5156 ?        S    Mar13 123:58 
/usr/sbin/named -u bind
bind       783  0.0 17.2  20092  5156 ?        S    Mar13   1:21 
/usr/sbin/named -u bind
bind       784  0.0 17.2  20092  5156 ?        S    Mar13   7:06 
/usr/sbin/named -u bind


Since bind 8 is at EOL stage ("security fixes only if critical and no 
support") I think no one will ever fix this bug. Instead, shouldn't be 
the future of this package in Debian considered?




Tomasz Chmielewski
http://wpkg.org

Message #87 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>

To: 402231@bugs.debian.org, 92147@bugs.debian.org, 52745@bugs.debian.org, 197670@bugs.debian.org, 481921@bugs.debian.org, 157245@bugs.debian.org, 248193@bugs.debian.org, 442910@bugs.debian.org, 81252@bugs.debian.org, 156349@bugs.debian.org, 94760@bugs.debian.org, 212625@bugs.debian.org, 260915@bugs.debian.org, 402232@bugs.debian.org, 86488@bugs.debian.org, 149342@bugs.debian.org, 282239@bugs.debian.org, 128129@bugs.debian.org, 62547@bugs.debian.org, 106789@bugs.debian.org, 46856@bugs.debian.org, 85081@bugs.debian.org, 242579@bugs.debian.org, 45470@bugs.debian.org, 50013@bugs.debian.org, 88326@bugs.debian.org, 95773@bugs.debian.org, 190577@bugs.debian.org, 53550@bugs.debian.org, 132492@bugs.debian.org, 24280@bugs.debian.org, 441290@bugs.debian.org, 88982@bugs.debian.org, 355787@bugs.debian.org, 199252@bugs.debian.org, 70079@bugs.debian.org, 213706@bugs.debian.org, 129710@bugs.debian.org, 170872@bugs.debian.org, 86013@bugs.debian.org, 280955@bugs.debian.org, 260759@bugs.debian.org, 99538@bugs.debian.org, 234167@bugs.debian.org, 132582@bugs.debian.org, 81190@bugs.debian.org, 352054@bugs.debian.org, 169124@bugs.debian.org, 132494@bugs.debian.org, 55032@bugs.debian.org, 85909@bugs.debian.org, 197669@bugs.debian.org, control@bugs.debian.org, bind9@packages.debian.org

Subject: Reassigning bugs from bind to bind9

Date: Sun, 13 Jul 2008 23:01:40 +0100

reassign 402231 bind9
reassign 92147 bind9
reassign 52745 bind9
reassign 197670 bind9
reassign 481921 bind9
reassign 157245 bind9
reassign 248193 bind9
reassign 442910 bind9
reassign 81252 bind9
reassign 156349 bind9
reassign 94760 bind9
reassign 212625 bind9
reassign 260915 bind9
reassign 402232 bind9
reassign 86488 bind9
reassign 149342 bind9
reassign 282239 bind9
reassign 128129 bind9
reassign 62547 bind9
reassign 106789 bind9
reassign 46856 bind9
reassign 85081 bind9
reassign 242579 bind9
reassign 45470 bind9
reassign 50013 bind9
reassign 88326 bind9
reassign 95773 bind9
reassign 190577 bind9
reassign 53550 bind9
reassign 132492 bind9
reassign 24280 bind9
reassign 441290 bind9
reassign 88982 bind9
reassign 355787 bind9
reassign 199252 bind9
reassign 70079 bind9
reassign 213706 bind9
reassign 129710 bind9
reassign 170872 bind9
reassign 86013 bind9
reassign 280955 bind9
reassign 260759 bind9
reassign 99538 bind9
reassign 234167 bind9
reassign 132582 bind9
reassign 81190 bind9
reassign 352054 bind9
reassign 169124 bind9
reassign 132494 bind9
reassign 55032 bind9
reassign 85909 bind9
reassign 197669 bind9
thanks

The bind package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the bind9 package. Please
have a look at them, and close them if they don't apply to
bind9 anymore.

Don't hesitate to reply to this mail if you have any question.

--
Marco Rodrigues
http://Marco.Tondela.org

Message #92 received at 50013@bugs.debian.org (full text, mbox, reply):

From: Kenyon Ralph <kenyon@kenyonralph.com>

To: 50013-subscribe@bugs.debian.org, 50013@bugs.debian.org

Subject: obsolete bug?

Date: Sun, 20 Mar 2011 22:19:54 -0700

[Message part 1 (text/plain, inline)]

This bug can probably be closed since bind9 runs as user "bind" rather
than root.

-- 
Kenyon Ralph

[signature.asc (application/pgp-signature, inline)]

Message #97 received at 50013-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 50013-done@bugs.debian.org

Subject: Closing since bind doesn't run as root anymore

Date: Fri, 16 Sep 2011 17:50:20 +0800

Closing since bind doesn't run as root anymore

Send a report that this bug log contains spam.