Description of problem: /var/named/chroot/etc/named.conf and friends should not be writable by user named to prevent malicious changes of persistent configuration data even if s.o. manages to gain named's priveleges. Version-Release number of selected component (if applicable): 9.2.2.P3-9 How reproducible: ls -l /var/named/chroot/etc Steps to Reproduce: 1. 2. 3. Actual results: -rw-r--r-- 1 named named 1267 Jan 8 13:16 localtime -rwxr-x--- 1 named named 0 Jan 8 13:16 named.conf -rw-r--r-- 1 named named 241 Jan 8 13:16 named.custom -rw-r----- 1 named named 132 Jan 8 13:16 rndc.key Expected results: -rw-r--r-- 1 root root 1267 Jan 8 13:16 localtime -rw-r--r-- 1 root named 2795 Mar 8 2003 named.conf -rw-r--r-- 1 root named 241 Jan 8 13:16 named.custom -rw-r----- 1 root named 132 Jan 8 13:16 rndc.key Additional info: bind configuration data should be readonly for user named wherever possible. The zone files for primaries and hint file can be read only in a read only directory, zone files for slaves cannot and should be placed in their own dir with write access. If bind would allow overwriting of slave zone files, even the dir could be read only.
Fixed in bind-9.2.3-12.src.rpm