Running the Name Server as a User Other than Root
7.9.1 Problem
You want to run a name server as a user other than root, so a hacker successfully breaking in through the named process doesn't have access to the host as root.
7.9.2 Solution
Add a passwd file entry for a new user; the only function of this file is to run the name server. Call this user something descriptive, such as bind or named. A passwd entry for a bind user might look like this:
bind:*:53:53:BIND name server:/:/bin/nologin
Optionally, add a group file entry for a new group, which this new user and any other users who are authorized to edit zone data file will belong to.
Adjust the ownership and permission of files and directories to make sure that this user (and group, if you created one) can:
- Read, write and execute (search) named's working directory
- Read and write all zone data files
- Write to the /var/run directory (unless you've used the pid-file options substatement to change the PID file's path)
Once you've modified the environment as needed, start named with the -u command-line option, specifying as the option's argument the name or user ID of the user to run as. The first time you do it, check named's syslog output for any startup errors caused by permission problems. Once named starts cleanly, add the -u option to your system's startup scripts.
7.9.3 Discussion
Note that, as long as named is configured to listen on port 53, the default port, it must be started by root, since port 53 is a privileged port. The -u option simply tells it to give up root privilege as soon as it's done what it needs to do as root.
As Section 7.8 says, name servers that run in a chroot( ) environment normally run as a non-root user, too, to prevent hackers from escaping the chroot( ) jail.
BIND 8 name servers also support a -g command-line option to set the name server's group ID. If -g isn't specified, the name server changes group to the primary group of the user specified in the -u option. BIND 9 name servers don't support -g, and always change group to the primary group of the user named in -u.
On a BIND 8 name server, you may also need to change the group membership and permissions of the ndc Unix domain socket in order to allow users in the bind group to write to it.
7.9.4 See Also
Section 1.21 for editing startup scripts, Section 7.8 for running a name server in a chroot( ) environment, and "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND.