Bug 113092 - permissions for bind config not as restrictive as possible
Summary: permissions for bind config not as restrictive as possible
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 1
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-01-08 14:03 UTC by Heiner Westphal
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-08-30 22:31:08 UTC


Attachments (Terms of Use)

Description Heiner Westphal 2004-01-08 14:03:35 UTC
Description of problem:
/var/named/chroot/etc/named.conf and friends should not be writable
by user named to prevent malicious changes of persistent 
configuration data even if s.o. manages to gain named's priveleges.

Version-Release number of selected component (if applicable):
9.2.2.P3-9

How reproducible:
ls -l /var/named/chroot/etc

Steps to Reproduce:
1.
2.
3.
  
Actual results:
-rw-r--r--    1 named    named        1267 Jan  8 13:16 localtime
-rwxr-x---    1 named    named           0 Jan  8 13:16 named.conf
-rw-r--r--    1 named    named         241 Jan  8 13:16 named.custom
-rw-r-----    1 named    named         132 Jan  8 13:16 rndc.key

Expected results:
-rw-r--r--    1 root     root         1267 Jan  8 13:16 localtime
-rw-r--r--    1 root     named        2795 Mar  8  2003 named.conf
-rw-r--r--    1 root     named         241 Jan  8 13:16 named.custom
-rw-r-----    1 root     named         132 Jan  8 13:16 rndc.key

Additional info:
 bind configuration data should be readonly for user named
 wherever possible.
 The zone files for primaries and hint file can be read only
 in a read only directory, zone files for slaves cannot and
 should be placed in their own dir with write access.
 If bind would allow overwriting of slave zone files, even the dir
 could be read only.

Comment 1 Daniel Walsh 2004-03-25 19:27:57 UTC
Fixed in bind-9.2.3-12.src.rpm


Note You need to log in before you can comment on or make changes to this bug.