
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Securing BIND
|
181
BIND v9 supports the -u flag only for Linux systems running kernel Version 2.3.99-
pre3 or later (in real terms, Version 2.4 or later). That means that if you’re still running
a 2.2 kernel for some reason, you can’t run BIND v9 as a non-root user.
But there’s no reason you should still be clinging to Linux 2.2. At this writing (Octo-
ber 2004), Linux’s 2.4 kernel has benefitted from nearly four years of tweaks and
improvements; it no longer has anything to prove with regard to stability and secu-
rity. You really ought to be running 2.4 kernels on your Linux bastion servers.
The
-g option in BIND v8 causes named to run under the specified group name. This
option has been dropped in BIND v9, since it would be unusual to run named, which
has the privileges of a specified user, with the privileges of some group other than the
specified user’s. In other words, the group you chose when you created named’s
unprivileged user account is the group whose ID named runs under in BIND v9.
The
-t option changes (chroots) the root of all paths referenced by named. Note that
when chrooting named, this new root is applied even before named.conf is read,
which is why we must also use the
-c option to specify the location of named’s con-
figuration file.
In other words, if you invoke named ...