Bug 200465 - named-checkzone and co. cannot be run as non-root user
named-checkzone and co. cannot be run as non-root user
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-27 17:04 EDT by Paul Wouters
Modified: 2013-04-30 19:34 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-30 06:07:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2006-07-27 17:04:56 EDT
Description of problem:
named-checkzone and co cannot be run as non-root user

Version-Release number of selected component (if applicable):
bind-9.3.2-20.FC5

How reproducible:
as non-root user run named-checkzone zonefile

Additional info:

There is no reason for this "security" feature. named-checkzone just
runs a zonefile through a parser to see if the syntax is okay. Any security can
be handled by restricting access to the zone files themselves.

Similarly, zones should be signable by non-root users, so
/usr/sbin/dnssec-signzone should also be executable by non-root. In fact, I
don't know a single binary in there that should be "protected" like this.

If this is some new policy for files in /usr/sbin, then named-checkzone,
dnssec-signzone etc should be moved to /usr/bin/
Comment 1 Ben Lentz 2006-09-21 16:16:39 EDT
I concur, this needs to be fixed.

I've been through the bind spec files for Fedora Core 5, and have found that the
bind-9.3.2-4.1 package didn't mess with the default Makefile-created permissions
for these binaries:

%files
%defattr(-,root,root)
<snip>
%{_sbindir}/named-check*

However, the bind update packages for Fedora Core 5, bind-9.3.2-20 and
bind-9.3.2-33 sing a different tune:

%defattr(0750,root,root,0755)
%{_sbindir}/dnssec*
%{_sbindir}/lwresd
%{_sbindir}/named
%{_sbindir}/named-bootconf
%{_sbindir}/named-check*

What's the purpose of this change? Any user can download and/or compile their
own version of this harmless file parser, so why not install it 755, like it
used to?

I have a vested interest in seeing this fixed for smbind
(http://sourceforge.net/projects/smbind), which relies on the non-root user's
ability to verify the zone and conf files produced by using these parsing
utilities. 
Comment 2 Martin Stransky 2006-09-22 06:09:53 EDT
I'll consider it for the next update...
Comment 3 Ben Lentz 2006-10-23 10:47:49 EDT
Ugh. Still broken in bind-9.3.3-0.1.rc2
Comment 4 Paul Wouters 2006-10-23 13:04:06 EDT
Martin: can you please tell us whether this is going to get fixed or not. With
your "I will consider it" remark, we can't really go forward either way.

Thanks.
Comment 5 Martin Stransky 2006-10-24 04:00:36 EDT
I'll include it in the next update.
Comment 6 Martin Stransky 2006-10-26 04:20:43 EDT
added to CVS, it'll be in 30:9.3.3-0.2.rc2
Comment 7 Adam Tkac 2007-05-30 06:07:42 EDT
Looks like fixed. If still exists, please reopen.

Regards, Adam

Note You need to log in before you can comment on or make changes to this bug.