Re: is it safe to chmod +s named?
Will try sudo on it.
--- On Wed, 10/29/08, Adam Tkac <firstname.lastname@example.org> wrote:
> From: Adam Tkac <email@example.com>
> Subject: Re: is it safe to chmod +s named?
> To: "Mark Andrews" <Mark_Andrews@isc.org>
> Cc: [email]firstname.lastname@example.org[/email]
> Date: Wednesday, October 29, 2008, 7:15 AM
> On Wed, Oct 29, 2008 at 01:15:58PM +1100, Mark Andrews
> > In message[/color]
> <email@example.com>, Jeff
> Pang writes:[color=green][color=darkred]
> > > Hello,
> > >
> > > I need to let apache start/stop named.
> > > I set: chmod +s named, so httpd (run with nobody)[/color][/color]
> can stop/start it.[color=green][color=darkred]
> > > Is it safe for this behavior? thanks.[/color]
> > In general, no. Named is not designed to be run suid[/color]
> > A ordinary user can do all sorts of damage with[/color]
> > I would suggest that you create a wrapper which then[/color]
> > named with arguements that you deem safe. This[/color]
> wrapper can[color=green]
> > be suid root.
> I think this wrapper already exists and is called
> "sudo". I think the best
> solution is allow apache user to run named binary so it can
> be started
> with "sudo named ...". Usage of SUID bit looks
> like bad solution for
> me as Mark wrote.
> Adam Tkac, Red Hat, Inc.[/color]