Bug 113092 - permissions for bind config not as restrictive as possible
permissions for bind config not as restrictive as possible
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
1
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-08 09:03 EST by Heiner Westphal
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-30 18:31:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Heiner Westphal 2004-01-08 09:03:35 EST
Description of problem:
/var/named/chroot/etc/named.conf and friends should not be writable
by user named to prevent malicious changes of persistent 
configuration data even if s.o. manages to gain named's priveleges.

Version-Release number of selected component (if applicable):
9.2.2.P3-9

How reproducible:
ls -l /var/named/chroot/etc

Steps to Reproduce:
1.
2.
3.
  
Actual results:
-rw-r--r--    1 named    named        1267 Jan  8 13:16 localtime
-rwxr-x---    1 named    named           0 Jan  8 13:16 named.conf
-rw-r--r--    1 named    named         241 Jan  8 13:16 named.custom
-rw-r-----    1 named    named         132 Jan  8 13:16 rndc.key

Expected results:
-rw-r--r--    1 root     root         1267 Jan  8 13:16 localtime
-rw-r--r--    1 root     named        2795 Mar  8  2003 named.conf
-rw-r--r--    1 root     named         241 Jan  8 13:16 named.custom
-rw-r-----    1 root     named         132 Jan  8 13:16 rndc.key

Additional info:
 bind configuration data should be readonly for user named
 wherever possible.
 The zone files for primaries and hint file can be read only
 in a read only directory, zone files for slaves cannot and
 should be placed in their own dir with write access.
 If bind would allow overwriting of slave zone files, even the dir
 could be read only.
Comment 1 Daniel Walsh 2004-03-25 14:27:57 EST
Fixed in bind-9.2.3-12.src.rpm

Note You need to log in before you can comment on or make changes to this bug.