General discussion

Locked

DNS SNDMAIL SQUID service in nonrootuser

By bubloo ·
Dear all

I am having Redhat 7.1, i am running DNS,Sendmail,samba and squid service. Problem is, all these services r running in root account. I am woundered this is very easy for hackers to gain root privilage. I am not familiar with any firewall. I want to run these service in non-root user. Later i will configure firewall. HOw corporates r running these services(in root a/c ??!!). Most of the time i will be in online also. Pls. give solution to me...

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DNS SNDMAIL SQUID service in nonrootuser

by paulo.sedrez In reply to DNS SNDMAIL SQUID service ...

It is a misconception: this services start as root, but they change to a non-privileged account as soon is possible:

- DNS (named) runs as "named:named" (that is, user:group; configurable, parameter -u on command line);

- squid runs as "squid:squid" (configurable, parameters cache_effective_user and cache_effective_group in /etc/squid/squid.conf, this is the default);

- sendmail run as "mail:mail" (configurable, option DefaultUser in /etc/sendmail.cf);

- samba (smbd) changes to the uid:gid of the user who logged as soon as it is autenticated; if it uses "security=share", you can use "force user" to specify an alternate user name;

As you can see, is just a matter of configuration. This various daemons need to be started as root because they have to bind to privileged (below 1024) ports to atend the various services; once they do this, they change to a common user.

If you are still fill unsafe about certain services, specially online on the Internet, I suggest you bindthe services only to the internal network and loopback (127.0.0.1):

- on named, file "named.conf", section "options", clause "listen-on";

- on samba, file "/etc/samba/smb.conf", section "global", clause "interfaces"; additionaly, set "bind interfaces only = Yes";

- on squid, file "/etc/squid/squid.conf", option "http_port";

- on sendmail, file "/etc/sendmail.cf", options "DaemonPortOptions".

Please check the documentation on this options for details.

--Sedrez

Back to Linux Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums