zoneserver logfile question

Sam Trenholme strenholme.usenet at gmail.com
Tue Sep 8 13:54:24 EDT 2009


>What maradns (and many server programs like it) do is to start as root
>user, bind to one of those privileged ports, then once that socket is
>acquired, switch to a normal user (dropping root privileges) and continue
>running like that. In the event that someone find an exploit in the code
>now, they only have access to the files and processes that the maradns
>user has access to and can do far less harm than someone with root
>privileges.

To expand on what Remco has pointed out, on *NIX systems MaraDNS does
two things to minimize the chance of an exploit in the program
allowing control of the full system:

* MaraDNS drops superuser (root) privileges

* MaraDNS uses a *NIX feature called chroot() to minimize accesses to
the file system.

Note also, that in the over eight years of MaraDNS existence, no
attack vector against MaraDNS' code worse than denial of service has
been discovered, and no attacks have been discovered since 2007.
Programmers have learned a lot since the 1990s, and skilled
programmers know how to make code that doesn't allow anyone on the
internet full root control with a daemon (the days of things like
Sendmail's 'WIZ' backdoor are long-gone).

- Sam

Note: I do not answer MaraDNS support requests sent by private email
without being compensated for my time. I will discuss rates if you
want this kind of support. Thank you for your understanding.


More information about the list mailing list