Sophie

Sophie

distrib > Mandriva > 2010.1 > i586 > media > contrib-updates > by-pkgid > 563affe035311228f138962d4d47d4fd > files > 77

pdns-3.0.1-0.1mdv2010.2.i586.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Security settings &#38; considerations</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REL="HOME"
TITLE="PowerDNS manual"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Operational logging using syslog"
HREF="syslog.html"><LINK
REL="NEXT"
TITLE="Considerations"
HREF="considerations.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>PowerDNS manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="syslog.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="considerations.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="SECURITY"
></A
>Chapter 7. Security settings &amp; considerations</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SETTINGS"
>7.1. Settings</A
></H1
><P
>PDNS has several options to easily allow it to run more securely. Most notable are the <B
CLASS="COMMAND"
>chroot</B
>, 
	<B
CLASS="COMMAND"
>setuid</B
> and <B
CLASS="COMMAND"
>setgid</B
> options which can be specified.</P
><P
>	For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see <A
HREF="security-policy.html"
>Section 1.4</A
>.
      </P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2952"
>7.1.1. Running as a less privileged identity</A
></H2
><P
>	  By specifying <B
CLASS="COMMAND"
>setuid</B
> and <B
CLASS="COMMAND"
>setgid</B
>, PDNS changes to this identity shortly after
	  binding to the privileged DNS ports. These options are highly recommended. It is suggested that a separate identity
	  is created for PDNS as the user 'nobody' is in fact quite powerful on most systems.
	</P
><P
>	  Both these parameters can be specified either numerically or as real names.
	  You should set these parameters immediately if they are not set!
	</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2958"
>7.1.2. Jailing the process in a chroot</A
></H2
><P
>	  The <B
CLASS="COMMAND"
>chroot</B
> option secures PDNS to its own directory so that even if it should become compromised and
	  under control of external influences, it will have a hard time affecting the rest of the system.
	</P
><P
>	  Even though this will hamper hackers a lot, chroot jails have been known to be broken. 
	</P
><P
>	  <DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>	      When chrooting PDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX 
	      domain socket which should live within the chroot. It is often possible to hardlink such a socket into the chroot dir.
	    </P
><P
>	      When running with master or slave support, be aware that many operating systems need access to specific libraries
	      (ofen <TT
CLASS="FILENAME"
>/lib/libnss*</TT
>) in order to support resolution of domain names! You can also hardlink these.
	    </P
></TD
></TR
></TABLE
></DIV
>
	</P
><P
>	  The default PDNS configuration is best chrooted to <TT
CLASS="FILENAME"
>./</TT
>, which boils down to the configured location
	  of the controlsocket. 
	</P
><P
>	  This is achieved by adding the following to pdns.conf: <B
CLASS="COMMAND"
>chroot=./</B
>, and restarting PDNS.
	</P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="syslog.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="considerations.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Operational logging using syslog</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Considerations</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional