projects / thirdparty / pdns.git / blame
| Commit | Line | Data |
|---|---|---|
| 0e2063c3 PL |
1 | Security of PowerDNS |
| 2 | ==================== | |
| 223bb49e PL |
3 | PowerDNS has several options to easily allow it to run more securely. |
| 4 | Most notable are the :ref:`setting-chroot`, :ref:`setting-setuid` and :ref:`setting-setgid` options. | |
| 5 | ||
| 0e2063c3 PL |
6 | For Security Advisories, see the :doc:`dedicated page <security-advisories/index>`. |
| 7 | ||
| 8 | .. _securitypolicy: | |
| 9 | ||
| 10 | .. include:: common/security-policy.rst | |
| 11 | ||
| 223bb49e PL |
12 | For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see :ref:`securitypolicy`. |
| 13 | ||
| 0e2063c3 PL |
14 | Securing the Process |
| 15 | -------------------- | |
| 16 | ||
| 223bb49e PL |
17 | Running as a less privileged identity |
| 18 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 19 | By specifying :ref:`setting-setuid` and :ref:`setting-setgid`, PowerDNS changes to this identity shortly after binding to the privileged DNS ports. | |
| 20 | These options are highly recommended. | |
| 21 | It is suggested that a separate identity is created for PowerDNS as the user 'nobody' is in fact quite powerful on most systems. | |
| 22 | ||
| 23 | Both these parameters can be specified either numerically or as real names. | |
| 24 | Set these parameters immediately if they are not set! | |
| 25 | ||
| 26 | Jailing the process in a chroot | |
| 27 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
| 28 | The :ref:`setting-chroot` option secures PowerDNS to its own directory so that even if it should become compromised and under control of external influences, it will have a hard time affecting the rest of the system. | |
| 29 | ||
| 30 | Even though this will hamper hackers a lot, chroot jails have been known to be broken. | |
| 31 | ||
| 0e2063c3 PL |
32 | .. warning:: |
| 33 | When chrooting The PowerDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX domain | |
| 34 | socket which should live within the chroot. It is often possible to | |
| 35 | hardlink such a socket into the chroot dir. | |
| 223bb49e PL |
36 | |
| 37 | When running with master or slave support, be aware that many operating | |
| 38 | systems need access to specific libraries (often ``/lib/libnss*``) in | |
| 39 | order to support resolution of domain names! You can also hardlink | |
| 40 | these. | |
| 41 | ||
| 42 | In addition, make sure that ``/dev/log`` is available from within the chroot. | |
| 43 | Logging will silently fail over time otherwise (on logrotate). | |
| 44 | ||
| 45 | The default PowerDNS configuration is best chrooted to ``./``, which boils down to the configured location of the controlsocket. | |
| 46 | ||
| 47 | This is achieved by adding the following to pdns.conf: ``chroot=./``, and restarting PowerDNS. | |
| 48 | ||
| 49 | Security Considerations | |
| 50 | ----------------------- | |
| 51 | In general, make sure that the PowerDNS process is unable to execute commands on your backend database. | |
| 52 | Most database backends will only need SELECT privilege. | |
| 53 | Take care to not connect to your database as the 'root' or 'sa' user, and configure the chosen user to have very slight privileges. | |
| 54 | ||
| 55 | Databases empathically do not need to run on the same machine that runs PowerDNS! | |
| 56 | In fact, in benchmarks it has been discovered that having a separate database machine actually improves performance. | |
| 57 | ||
| 58 | Separation will enhance your database security highly. Recommended. | |
| 59 | ||
| 0e2063c3 PL |
60 | .. _securitypolling: |
| 61 | ||
| 62 | .. include:: common/secpoll.rst |