DNS HOWTO : Basic security options. : Running named as non-root
Previous: Protecting against spoofing
Next: A real domain example

6.3. Running named as non-root

It is a good idea to run named as a user other than root, so that if it is compromised the privileges gained by the cracker are as limited as possible. You first have to create a user and group for named to run under, and then modify whatever init script you use that starts named. Pass the new username and group to named using the -u and -g flags.

For example, in Debian GNU/Linux 2.2 you might modify your /etc/init.d/bind script to have the following line (where user and group named have been created:


start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named -g named

The same can be done with Red Hat and the other distributions. Dave Lugo has described a secure dual chroot setup http://www.etherboy.com/dns/chrootdns.html which you may find interesting to read.


DNS HOWTO : Basic security options. : Running named as non-root
Previous: Protecting against spoofing
Next: A real domain example