Red Hat Bugzilla – Bug 200465
named-checkzone and co. cannot be run as non-root user
Last modified: 2013-04-30 19:34:00 EDT
Description of problem:
named-checkzone and co cannot be run as non-root user
Version-Release number of selected component (if applicable):
as non-root user run named-checkzone zonefile
There is no reason for this "security" feature. named-checkzone just
runs a zonefile through a parser to see if the syntax is okay. Any security can
be handled by restricting access to the zone files themselves.
Similarly, zones should be signable by non-root users, so
/usr/sbin/dnssec-signzone should also be executable by non-root. In fact, I
don't know a single binary in there that should be "protected" like this.
If this is some new policy for files in /usr/sbin, then named-checkzone,
dnssec-signzone etc should be moved to /usr/bin/
I concur, this needs to be fixed.
I've been through the bind spec files for Fedora Core 5, and have found that the
bind-9.3.2-4.1 package didn't mess with the default Makefile-created permissions
for these binaries:
However, the bind update packages for Fedora Core 5, bind-9.3.2-20 and
bind-9.3.2-33 sing a different tune:
What's the purpose of this change? Any user can download and/or compile their
own version of this harmless file parser, so why not install it 755, like it
I have a vested interest in seeing this fixed for smbind
(http://sourceforge.net/projects/smbind), which relies on the non-root user's
ability to verify the zone and conf files produced by using these parsing
I'll consider it for the next update...
Ugh. Still broken in bind-9.3.3-0.1.rc2
Martin: can you please tell us whether this is going to get fixed or not. With
your "I will consider it" remark, we can't really go forward either way.
I'll include it in the next update.
added to CVS, it'll be in 30:9.3.3-0.2.rc2
Looks like fixed. If still exists, please reopen.