Bug 427826

Summary: too restrictive file modes on various files in the BIND package
Product: [Fedora] Fedora Reporter: Charles R. Anderson <cra>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-14 10:46:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charles R. Anderson 2008-01-07 18:22:26 UTC
Description of problem:

Many of the binaries in /usr/sbin/ are set to mode 750.  This isn't necessary
and causes problems (e.g. coredumps may not be created for binaries that aren't
world readable).  There is no security benefit to making regular (non-suid)
binaries in /usr/sbin/ restricted.

Other files have restrictive modes that should be reviewed to see if they are
really necessary, such as the configuration files (not private key data files)
logrotate configuration, stock/cached zone files, initscript, etc.

Version-Release number of selected component (if applicable):
9.5.0-23.b1.fc9
  
Actual results:

-rw-r-----    1 root    named             163 Dec 27 10:24 /etc/logrotate.d/named
-rw-r-----    1 root    named             997 Jun 14  2007 /etc/named.conf
-rw-r-----    1 root    named             931 Jun 21  2007 /etc/named.rfc1912.zones
-rwxr-xr--    1 root    root             6146 Dec 27 10:24 /etc/rc.d/init.d/named
-rw-r-----    1 root    named               0 Dec 27 10:24 /etc/rndc.conf
-rw-r-----    1 root    named             602 Dec 27 10:24 /etc/sysconfig/named
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/lwresd
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/named
-rwxr-x---    1 root    root             7382 Dec 27 10:24 /usr/sbin/named-bootconf
lrwxr-x---    1 root    root               15 Dec 27 10:24
/usr/sbin/named-compilezone -> named-checkzone
-rwxr-x---    1 root    root            25968 Dec 27 10:24 /usr/sbin/rndc
-rwxr-x---    1 root    root            13684 Dec 27 10:24 /usr/sbin/rndc-confgen

Expected results:

I would expect at least all the binaries and initscripts to be mode 755.  The
config files are less of a concern, but may be overly restrictive.

Comment 1 Adam Tkac 2008-01-14 14:50:17 UTC
You're right, there's really no benefit from 750 perms on binaries. But
configfiles (named.conf and all /var/named structure) should be readable only
with named group and root.

Comment 2 Bug Zapper 2008-05-14 04:19:43 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Adam Tkac 2008-05-14 10:46:40 UTC
Fixed in bind-9.5.0-33.rc1.fc10