COMMAND

    BIND

SYSTEMS AFFECTED

    Mandrake 6.1, 7.0

PROBLEM

    Nicolas  Monnet  found  following.   bind  is  run as user / group
    'root' in Mandrake  7.0 (Redhat6.x ?).   This is a  surprising (if
    not stupid) setting given the fact that exploits exist that easily
    break out of any  chroot jail in such  a case; and that  switching
    users is as easy as adding  an option to named.  Especially  given
    the infuriatingly poor security track record of named ...

SOLUTION

    RedHat  6.2  runs  BIND  as  user/group  "named".   Anybody who is
    serious about  security and  wants to  run a  DNS should take some
    basic  security  precautions.   Those  being,  chroot  jail, and a
    'named' user  (or at  least running  as a  non-root user).   Those
    interested in  more information  and some  good proceedures should
    read this HOWTO:

        http://metalab.unc.edu/pub/Linux/docs/HOWTO/Chroot-BIND-HOWTO

    Debian  Slink  and  Potato  (frozen)  both install BIND 8.2.2R5 as
    root.

    For Mandrake upgrade to:

        6.1/RPMS/bind-8.2.2P5-6mdk.i586.rpm
        6.1/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
        6.1/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
        6.1/SRPMS/bind-8.2.2P5-6mdk.src.rpm
        7.0/RPMS/bind-8.2.2P5-6mdk.i586.rpm
        7.0/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
        7.0/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
        7.0/SRPMS/bind-8.2.2P5-6mdk.src.rpm
        7.1/RPMS/bind-8.2.2P5-6mdk.i586.rpm
        7.1/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
        7.1/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
        7.1/SRPMS/bind-8.2.2P5-6mdk.src.rpm

    To upgrade automatically, use MandrakeUpdate.

    Those really  interested in  a secure  DNS server  ought to forget
    trying to secure BIND and  use D. J. Bernstein's dnscache  package
    instead:

        http://cr.yp.to/dnscache.html

    Its "regular"  DNS server,  tinydns, runs  as a  non-root user  in
    chrooted environment by default.   Read the website for more  info
    about security, dnscache, and BIND.