Bug 8584
| Summary: | security problems with bind & caching-nameserver | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | kyle |
| Component: | caching-nameserver | Assignee: | Cristian Gafton <gafton> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | Keywords: | FutureFeature |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-02-04 02:06:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Bind 8.2.2-P5 is in Raw Hide; it contains no security fixes over the P3 (which is actually P4, apologies for the confusion) that shipped as an errata. A lot of people are using the caching nameserver setup as a departamental nameserver and the changes proposed will break that setup. Fiurthermore, adding another package that deals with the same problem of a caching nameserver is only a potential source of more confusion for the new users, whcih will ask themselves which package do they need. Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/8fb838f02bb5a7c6b50e476d40b17d38216da873 Merge pull request #8586 from soltysh/issue8584 Merged by openshift-bot |
Others have already pointed out the value of running the named service non-root and chroot'ed. These changes alone would have avoided the recent and widespread ADMROCKS remote root exploits. And, it is trivial to make named drop root privileges; I am embarrassed that I didn't check it and disappointed that RedHat didn't either, given the ubiquity of named. There is another way in which ADMROCKS and other remote named exploits can be avoided completely for -some- users, such as PPP or end-of-the-line users. Namely those of us with cachine-only nameservers probably do -not- want to provide DNS service to the world. So I suggest a "caching-and-local-only" RPM which would refuse all DNS requests, except those from localhost. This is so simple. Just add listen-on { 127.0.0.1; }; to the "options" phrase of /etc/named.conf. This would protect a lot of people at very low cost and enhance RedHat's reputation as a security-conscious distribution. Of course, there may still be a need for the existing caching-only RPM, but given the currently unsafe privileges of named, the out-of-the-box defaults are very unsafe. See the redhat-security list for the imapact of this combination of problems. One more thing. Mandrake (based on RedHat, I think) had bind 8.2.2-P5 RPM-ified just days after RedHat had bind 8.2.2-P3 RPM-ified, around November 17, 1999. RedHat still does not seem to have patchlevel 5 RPM-ified. This is disappointing, given how remarkably cleanly it compiles on RedHat 6.x. Please keep up the good work and better, Kyle Ferrio