Difference between pages "Capabilities" and "Package:Bind"

(Difference between pages)
(Requirements: tar vs caps)
 
m
 
Line 1: Line 1:
Linux ''capabilities'' provide a mechanism of giving processes some of root's privileges. This aims to improve security via limiting the privileges processes have to have (compared to processes having all root's privileges) and therefore the privileges that could be exploited.
+
{{Ebuild
 +
|Summary=BIND - Berkeley Internet Name Domain - Name Server
 +
|CatPkg=net-dns/bind
 +
|Homepage=http://www.isc.org/software/bind
 +
}}
  
== Requirements ==
+
BIND is a DNS server.
The capabilities are fully supported by Linux since 2.6.24.
+
  
For capability bits to be assigned to files (as a replacement for setuid root), the underlying filesystem needs to have xattr support with security namespace.
+
=== Installation ===
 +
{{console|body=###i## emerge net-dns/bind}}
  
For capabilities to be stored inside .tar archives, ''--xattrs'' option needs to be used. For capabilities to be '''extracted''' from .tar archives, ''--xattrs --xattrs-include=security.capability'' needs to be passed to the extraction command.
+
=== Local Caching Only Server ===
 +
{{console|body=###i## echo "dns_servers="127.0.0.1" >> /etc/conf.d/net}}
  
== Rationale ==
+
{{file|name=/etc/bind/named.conf|lang=|desc=ensure local listening|body=
Capabilities are a preventive form of security. If a program is vulnerable, then the attacker may be able to use the vulnerability to use program's root privileges for malicious reasons. By limiting the privileges, capabilities reduce the risks associated with vulnerability.
+
listen-on-v6 { ::1; };
 +
listen-on { 127.0.0.1; };
 +
}}
  
For example, the ''ping'' program needs to open raw network socket which is a privileged operation. In order to allow non-root users to use it, setuid bit is set on the executable. This way, when run by an unprivileged user ''ping'' automatically gains root privileges and can open the socket. However, this means that if a security vulnerability is found inside ''ping'', it can be exploited by user to perform malicious actions with root privileges.
+
{{file|name=/etc/bind/named.conf|lang=|desc=remove /* comments */ disabling this block, optionally add your upstream DNS servers|body=
 +
forward first;
 +
forwarders {
 +
// 123.123.123.123; // Your ISP NS
 +
// 124.124.124.124; // Your ISP NS
 +
// 4.2.2.1; // Level3 Public DNS
 +
// 4.2.2.2; // Level3 Public DNS
 +
8.8.8.8; // Google Open DNS
 +
8.8.4.4; // Google Open DNS
 +
};
 +
}}
  
The alternative is to mark ''ping'' with capability ''CAP_NET_RAW+pe'' (instead of setuid root). In this case, ''ping'' is given the capability to open raw network sockets without other root privileges. If a security vulnerability is exploited, it can only be used to open raw network sockets but can't e.g. access files belonging to other users.
+
{{file|name=/etc/resolv.conf|lang=|desc=set the local system to listen to BIND|body=
 +
nameserver 127.0.0.1
 +
}}
 +
 
 +
{{console|body=###i## rc-update add named default
 +
###i## rc
 +
}}
 +
 
 +
{{PageNeedsUpdates}}
 +
{{EbuildFooter}}

Revision as of 13:42, February 5, 2015

net-dns/bind


Source Repository:Repository:Gentoo Portage Tree

http://www.isc.org/software/bind

Summary: BIND - Berkeley Internet Name Domain - Name Server

Use Flags

dlz
Enables dynamic loaded zones, 3rd party extension
filter-aaaa
Enable filtering of AAAA records over IPv4
fixed-rrset
Enables fixed rrset-order option
gost
Enables gost OpenSSL engine support
gssapi
Enable gssapi support
json
Enable JSON statistics channel
nslint
Build and install the nslint util
rpz
Enable response policy rewriting (rpz)
urandom
Use /dev/urandom instead of /dev/random

News

Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins
Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins
Drobbins

New ARM Stages

New ARM Stages, built with a new toolchain, are now hitting mirrors. Existing ARM users should re-install using these stages (dated Aug 3, 2015 or later,) rather than upgrade using emerge.
2015-08-06 by Drobbins
More...

Bind

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.


BIND is a DNS server.

Installation

# emerge net-dns/bind


Local Caching Only Server

# echo "dns_servers="127.0.0.1" >> /etc/conf.d/net


/etc/bind/named.conf - ensure local listening
listen-on-v6 { ::1; };
	listen-on { 127.0.0.1; };
/etc/bind/named.conf - remove /* comments */ disabling this block, optionally add your upstream DNS servers
forward first;
	forwarders {
	//	123.123.123.123;	// Your ISP NS
	//	124.124.124.124;	// Your ISP NS
	//	4.2.2.1;		// Level3 Public DNS
	//	4.2.2.2;		// Level3 Public DNS
		8.8.8.8;		// Google Open DNS
		8.8.4.4;		// Google Open DNS
	};
/etc/resolv.conf - set the local system to listen to BIND
nameserver 127.0.0.1
# rc-update add named default
# rc