Re: [vserver] Bind:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
About this list Date view Thread view Subject view Author view Attachment view

From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Wed 13 Nov 2002 - 02:27:54 GMT

On Thu, 24 Oct 2002, Paul Sladen wrote:
> On Wed, 23 Oct 2002, Burak wrote:
> > What is the risks to set S_CAPS="CAP_SYS_RESOURCE"
>
> The interesting point is that I've never run into this problem!
> I run Bind on several of my vservers--without the extra CAP_SYS_RESOURCE
> capabilities--and haven't experienced any problems. Having said that, these
> will all be the standard Debian shipments and I haven't looked into the
> issue more deeply, as to versions, or whether there are patches involved.

With todays security alerts on Bind4 -> Bind8 I decided to upgrade by boxes
to Bind9; and I did indeed hit this problem when trying to run Bind9 under
vservers.

To quote Ellen Feiss: ``It was like ... a bummer.''

So, recompiling Bind9 with:

  ./configure --disable-linux-caps

fixes this stupidity. Curse the bind8 exploits, curse the maintainers
who leave --enable-linux-caps on by default and curse the ISC coders for
putting it in there in the first place! :-)

Other than that, Bind9 is a drop-in config-compatible replacement for Bind8.
For those (like me) like me running Debian vservers who don't want to wait
for the Debian security updates; or just plain want to run Bind9 under
vservers, the following may be useful:

Add these lines to your `/etc/apt/sources.list'

  deb http://www.paul.sladen.org/debian woody/updates main
  deb-src http://www.paul.sladen.org/debian woody/updates main

Then, the usual:

  apt-get update
  apt-get install bind9

Answer `N' to the config file question (it's a drop-in so you can keep the
existing `/etc/bind/named.conf'). Or to "dpkg -i" the .debs directly the
hard-way you seem to need the following:

  http://www.paul.sladen.org/debian/bind9.nocapset/libisccc0_9.2.1-2.woody.1.nocapset_i386.deb
  http://www.paul.sladen.org/debian/bind9.nocapset/libisccfg0_9.2.1-2.woody.1.nocapset_i386.deb
  http://www.paul.sladen.org/debian/bind9.nocapset/bind9_9.2.1-2.woody.1.nocapset_i386.deb

Apologies for not having pre-built binaries for sparc and powerpc, or if you
don't have Debian! ;-)

        -Paul

PS. E&OE. Make a backup before you blame me. Rants about dodgey packages
to me. Rants about Debian --enable-linux-caps policy to Bdale Garbee. 

-- 
Nottingham, GB

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 13 Nov 2002 - 03:49:09 GMT by hypermail 2.1.3