Alfred is absolutely right. I forgot how little what I first wrote
references this; I've added a paragraph to make more clear that this
is not a real fix, but a temporary hack.
I'm working on a paper on the topic of DNS, and working on some kernel
hacks to allow a special user or group (other than root) to bind to
low numbered ports. Another way to deal with the problem is to use a
packet filter that does port translation so that the DNS server can
live on a high numbered port (eg, 5353), and still appear to be on
port 53. Both these allow you to run the DNS server as an unprivleged
user in a chroot jail.
Sorry, the kernel kludges are not available.
Alfred Huger wrote:
| > there is no egg* to overflow and break a chroot. Thus, if you don't
| > put CHROOT/bin/sh in place, the standard attacks will fail, but a
| > smart attacker can still get in. In practicality, there are few smart
| > attackers.
| It only takes *one* smart attacker with a subscription to Bugtraq and a
| predeliction to share his or her work. The l0pht (which you referanced) is
| a perfect example of this.
"It is seldom that liberty of any kind is lost all at once."