Privilege seperation for named. Allows named to handle address/interface

changes without restart. If you use non-standard ports in named configuration
make sure they are > 1024. Also /var/named/etc/rndc.key (if any) must be
readable by group named.

Initial work and testing by itojun@, jakob@, hints, help from henning@,
avsm@, beck@. ok henning, beck, avsm, deraadt

2 files changed, 15 insertions, 1 deletions

diff --git a/usr.sbin/bind/bin/named/main.c b/usr.sbin/bind/bin/named/main.c
index 5a3ebbd4024..0eec853876d 100644
--- a/usr.sbin/bind/bin/named/main.c
+++ b/usr.sbin/bind/bin/named/main.c
@@ -31,6 +31,7 @@
 #include <isc/hash.h>
 #include <isc/os.h>
 #include <isc/platform.h>
+#include <isc/privsep.h>
 #include <isc/resource.h>
 #include <isc/task.h>
 #include <isc/timer.h>
@@ -511,7 +512,9 @@ setup(void) {
 	}
 #endif
 
+#if 0	/* Not used due to privsep */
 	ns_os_chroot(ns_g_chrootdir);
+#endif
 
 	/*
 	 * For operating systems which have a capability mechanism, now
@@ -538,6 +541,15 @@ setup(void) {
 	if (!ns_g_foreground)
 		ns_os_daemonize();
 
+	/*
+	 * Privilege separation
+	 */
+	isc_priv_init(ns_g_logstderr);
+	isc_drop_privs(ns_g_username);
+	isc_socket_privsep(1);
+
+	/* process is now unprivileged and inside a chroot */
+
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
 		      saved_command_line);
diff --git a/usr.sbin/bind/bin/named/server.c b/usr.sbin/bind/bin/named/server.c
index fee23ff2c15..e0449007e85 100644
--- a/usr.sbin/bind/bin/named/server.c
+++ b/usr.sbin/bind/bin/named/server.c
@@ -2069,10 +2069,12 @@ load_configuration(const char *filename, ns_server_t *server,
 	}
 
 	/*
-	 * Relinquish root privileges.
+	 * Relinquish root privileges. Not used due to privsep
 	 */
+#if 0
 	if (first_time)
 		ns_os_changeuser();
+#endif
 
 	/*
 	 * Configure the logging system.