Description of problem: named-checkzone and co cannot be run as non-root user Version-Release number of selected component (if applicable): bind-9.3.2-20.FC5 How reproducible: as non-root user run named-checkzone zonefile Additional info: There is no reason for this "security" feature. named-checkzone just runs a zonefile through a parser to see if the syntax is okay. Any security can be handled by restricting access to the zone files themselves. Similarly, zones should be signable by non-root users, so /usr/sbin/dnssec-signzone should also be executable by non-root. In fact, I don't know a single binary in there that should be "protected" like this. If this is some new policy for files in /usr/sbin, then named-checkzone, dnssec-signzone etc should be moved to /usr/bin/
I concur, this needs to be fixed. I've been through the bind spec files for Fedora Core 5, and have found that the bind-9.3.2-4.1 package didn't mess with the default Makefile-created permissions for these binaries: %files %defattr(-,root,root) <snip> %{_sbindir}/named-check* However, the bind update packages for Fedora Core 5, bind-9.3.2-20 and bind-9.3.2-33 sing a different tune: %defattr(0750,root,root,0755) %{_sbindir}/dnssec* %{_sbindir}/lwresd %{_sbindir}/named %{_sbindir}/named-bootconf %{_sbindir}/named-check* What's the purpose of this change? Any user can download and/or compile their own version of this harmless file parser, so why not install it 755, like it used to? I have a vested interest in seeing this fixed for smbind (http://sourceforge.net/projects/smbind), which relies on the non-root user's ability to verify the zone and conf files produced by using these parsing utilities.
I'll consider it for the next update...
Ugh. Still broken in bind-9.3.3-0.1.rc2
Martin: can you please tell us whether this is going to get fixed or not. With your "I will consider it" remark, we can't really go forward either way. Thanks.
I'll include it in the next update.
added to CVS, it'll be in 30:9.3.3-0.2.rc2
Looks like fixed. If still exists, please reopen. Regards, Adam