200465 – named-checkzone and co. cannot be run as non-root user

Bug 200465 - named-checkzone and co. cannot be run as non-root user

Summary: named-checkzone and co. cannot be run as non-root user

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Adam Tkac
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-27 21:04 UTC by Paul Wouters
Modified:	2013-04-30 23:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-30 10:07:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Wouters 2006-07-27 21:04:56 UTC

Description of problem:
named-checkzone and co cannot be run as non-root user

Version-Release number of selected component (if applicable):
bind-9.3.2-20.FC5

How reproducible:
as non-root user run named-checkzone zonefile

Additional info:

There is no reason for this "security" feature. named-checkzone just
runs a zonefile through a parser to see if the syntax is okay. Any security can
be handled by restricting access to the zone files themselves.

Similarly, zones should be signable by non-root users, so
/usr/sbin/dnssec-signzone should also be executable by non-root. In fact, I
don't know a single binary in there that should be "protected" like this.

If this is some new policy for files in /usr/sbin, then named-checkzone,
dnssec-signzone etc should be moved to /usr/bin/

Comment 1 Ben Lentz 2006-09-21 20:16:39 UTC

I concur, this needs to be fixed.

I've been through the bind spec files for Fedora Core 5, and have found that the
bind-9.3.2-4.1 package didn't mess with the default Makefile-created permissions
for these binaries:

%files
%defattr(-,root,root)
<snip>
%{_sbindir}/named-check*

However, the bind update packages for Fedora Core 5, bind-9.3.2-20 and
bind-9.3.2-33 sing a different tune:

%defattr(0750,root,root,0755)
%{_sbindir}/dnssec*
%{_sbindir}/lwresd
%{_sbindir}/named
%{_sbindir}/named-bootconf
%{_sbindir}/named-check*

What's the purpose of this change? Any user can download and/or compile their
own version of this harmless file parser, so why not install it 755, like it
used to?

I have a vested interest in seeing this fixed for smbind
(http://sourceforge.net/projects/smbind), which relies on the non-root user's
ability to verify the zone and conf files produced by using these parsing
utilities.

Comment 2 Martin Stransky 2006-09-22 10:09:53 UTC

I'll consider it for the next update...

Comment 3 Ben Lentz 2006-10-23 14:47:49 UTC

Ugh. Still broken in bind-9.3.3-0.1.rc2

Comment 4 Paul Wouters 2006-10-23 17:04:06 UTC

Martin: can you please tell us whether this is going to get fixed or not. With
your "I will consider it" remark, we can't really go forward either way.

Thanks.

Comment 5 Martin Stransky 2006-10-24 08:00:36 UTC

I'll include it in the next update.

Comment 6 Martin Stransky 2006-10-26 08:20:43 UTC

added to CVS, it'll be in 30:9.3.3-0.2.rc2

Comment 7 Adam Tkac 2007-05-30 10:07:42 UTC

Looks like fixed. If still exists, please reopen.

Regards, Adam

Note You need to log in before you can comment on or make changes to this bug.