Univention Bugzilla – Bug 51237
BIND named runs as root
Last modified: 2020-05-07 08:55:00 CEST
Running network facing services needlessly as user "root" is a CWE-272 violation of the "Principle of least privilege". # ps u $(pidof named) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1164 0.0 1.0 722464 10336 ? Ssl Mai04 0:31 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0 Probably this is required for # lsof -p $(pidof named) -a -d 10-16 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME named 1164 root 10u REG 254,0 4247552 538095 /var/lib/samba/private/sam.ldb named 1164 root 11u REG 254,0 4247552 538100 /var/lib/samba/private/sam.ldb.d/DC=PHAHN,DC=DEV.ldb named 1164 root 12u REG 254,0 8306688 538101 /var/lib/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=PHAHN,DC=DEV.ldb named 1164 root 13u REG 254,0 8306688 538102 /var/lib/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=PHAHN,DC=DEV.ldb named 1164 root 14u REG 254,0 4247552 538112 /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=PHAHN,DC=DEV.ldb named 1164 root 15u REG 254,0 4247552 538113 /var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=PHAHN,DC=DEV.ldb named 1164 root 16u REG 254,0 421888 538097 /var/lib/samba/private/sam.ldb.d/metadata.tdb See Bug #25358 comment 12 for the explanation. Nevertheless the service should not run as user "root" but use a dedicated local user account as plain Debian already does: # ps u $(pidof named) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND bind 895 0.0 0.1 680500 46548 ? Ssl Feb10 11:51 /usr/sbin/named -u bind