Running BIND (DNS) as a non-root user

Question

Level 1

9 points

Running BIND (DNS) as a non-root user

On Mac OS X Server 10.3.x the named daemon runs as root. I would like to change this so that named runs as a user (with out a shell). On other flavors of Unix, this typically involves using the "-u" flag when starting named. However, I am still getting familiar with the Mac command line, and how system daemons are started.

XServe G5 Mac OS X (10.3.9)

XServe G5, Mac OS X (10.3.9)

Posted on Mar 16, 2006 6:10 AM

Reply

Answer 1

Camelot

Level 9

58,563 points

Mar 16, 2006 10:20 AM in response to enviromut

System services are handled by launchd.

If you look in /System/Library/LaunchDaemons/ you'll see a plist file for each service including org.isc.named.plist, the plist for named.

If you edit this file you'll see it's an XML document that describes the service and how the OS should handle it, including the part:

<key>ProgramArguments</key>
<array>
<string>/usr/sbin/named</string>
<string>-f</string>
</array>

Just append another entry in the array that says <string>-u nobody</string> (or whatever username you want to run as.

Reply

Answer 2

enviromut Author

Level 1

9 points

Mar 17, 2006 11:27 AM in response to Camelot

I think that system services are handled differently in 10.3, I cannot find the folder structure listed above. Thank you much for your input though.

Reply

Answer 3

Mar 17, 2006 11:34 PM in response to enviromut

Panther server uses the SystemStarter facility to control BIND, and the script it uses to start and stop it is in '/System/Library/StartupItems/BIND.' If you pop open that file, you'll see the 'Start Service ()' section, and you can add your -u switch to the named command in there.

MacBook Pro Mac OS X (10.4.4)

Reply