From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Wed 13 Nov 2002 - 02:27:54 GMT
On Thu, 24 Oct 2002, Paul Sladen wrote:
> On Wed, 23 Oct 2002, Burak wrote:
> > What is the risks to set S_CAPS="CAP_SYS_RESOURCE"
> The interesting point is that I've never run into this problem!
> I run Bind on several of my vservers--without the extra CAP_SYS_RESOURCE
> capabilities--and haven't experienced any problems. Having said that, these
> will all be the standard Debian shipments and I haven't looked into the
> issue more deeply, as to versions, or whether there are patches involved.
With todays security alerts on Bind4 -> Bind8 I decided to upgrade by boxes
to Bind9; and I did indeed hit this problem when trying to run Bind9 under
To quote Ellen Feiss: ``It was like ... a bummer.''
So, recompiling Bind9 with:
fixes this stupidity. Curse the bind8 exploits, curse the maintainers
who leave --enable-linux-caps on by default and curse the ISC coders for
putting it in there in the first place! :-)
Other than that, Bind9 is a drop-in config-compatible replacement for Bind8.
For those (like me) like me running Debian vservers who don't want to wait
for the Debian security updates; or just plain want to run Bind9 under
vservers, the following may be useful:
Add these lines to your `/etc/apt/sources.list'
deb http://www.paul.sladen.org/debian woody/updates main
deb-src http://www.paul.sladen.org/debian woody/updates main
Then, the usual:
apt-get install bind9
Answer `N' to the config file question (it's a drop-in so you can keep the
existing `/etc/bind/named.conf'). Or to "dpkg -i" the .debs directly the
hard-way you seem to need the following:
Apologies for not having pre-built binaries for sparc and powerpc, or if you
don't have Debian! ;-)
PS. E&OE. Make a backup before you blame me. Rants about dodgey packages
to me. Rants about Debian --enable-linux-caps policy to Bdale Garbee.
-- Nottingham, GB