Description of problem: Many of the binaries in /usr/sbin/ are set to mode 750. This isn't necessary and causes problems (e.g. coredumps may not be created for binaries that aren't world readable). There is no security benefit to making regular (non-suid) binaries in /usr/sbin/ restricted. Other files have restrictive modes that should be reviewed to see if they are really necessary, such as the configuration files (not private key data files) logrotate configuration, stock/cached zone files, initscript, etc. Version-Release number of selected component (if applicable): 9.5.0-23.b1.fc9 Actual results: -rw-r----- 1 root named 163 Dec 27 10:24 /etc/logrotate.d/named -rw-r----- 1 root named 997 Jun 14 2007 /etc/named.conf -rw-r----- 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones -rwxr-xr-- 1 root root 6146 Dec 27 10:24 /etc/rc.d/init.d/named -rw-r----- 1 root named 0 Dec 27 10:24 /etc/rndc.conf -rw-r----- 1 root named 602 Dec 27 10:24 /etc/sysconfig/named -rwxr-x--- 2 root root 424996 Dec 27 10:24 /usr/sbin/lwresd -rwxr-x--- 2 root root 424996 Dec 27 10:24 /usr/sbin/named -rwxr-x--- 1 root root 7382 Dec 27 10:24 /usr/sbin/named-bootconf lrwxr-x--- 1 root root 15 Dec 27 10:24 /usr/sbin/named-compilezone -> named-checkzone -rwxr-x--- 1 root root 25968 Dec 27 10:24 /usr/sbin/rndc -rwxr-x--- 1 root root 13684 Dec 27 10:24 /usr/sbin/rndc-confgen Expected results: I would expect at least all the binaries and initscripts to be mode 755. The config files are less of a concern, but may be overly restrictive.
You're right, there's really no benefit from 750 perms on binaries. But configfiles (named.conf and all /var/named structure) should be readable only with named group and root.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fixed in bind-9.5.0-33.rc1.fc10