Bug 427826 - too restrictive file modes on various files in the BIND package
too restrictive file modes on various files in the BIND package
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-01-07 13:22 EST by Charles R. Anderson
Modified: 2013-04-30 19:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-14 06:46:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Charles R. Anderson 2008-01-07 13:22:26 EST
Description of problem:

Many of the binaries in /usr/sbin/ are set to mode 750.  This isn't necessary
and causes problems (e.g. coredumps may not be created for binaries that aren't
world readable).  There is no security benefit to making regular (non-suid)
binaries in /usr/sbin/ restricted.

Other files have restrictive modes that should be reviewed to see if they are
really necessary, such as the configuration files (not private key data files)
logrotate configuration, stock/cached zone files, initscript, etc.

Version-Release number of selected component (if applicable):
Actual results:

-rw-r-----    1 root    named             163 Dec 27 10:24 /etc/logrotate.d/named
-rw-r-----    1 root    named             997 Jun 14  2007 /etc/named.conf
-rw-r-----    1 root    named             931 Jun 21  2007 /etc/named.rfc1912.zones
-rwxr-xr--    1 root    root             6146 Dec 27 10:24 /etc/rc.d/init.d/named
-rw-r-----    1 root    named               0 Dec 27 10:24 /etc/rndc.conf
-rw-r-----    1 root    named             602 Dec 27 10:24 /etc/sysconfig/named
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/lwresd
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/named
-rwxr-x---    1 root    root             7382 Dec 27 10:24 /usr/sbin/named-bootconf
lrwxr-x---    1 root    root               15 Dec 27 10:24
/usr/sbin/named-compilezone -> named-checkzone
-rwxr-x---    1 root    root            25968 Dec 27 10:24 /usr/sbin/rndc
-rwxr-x---    1 root    root            13684 Dec 27 10:24 /usr/sbin/rndc-confgen

Expected results:

I would expect at least all the binaries and initscripts to be mode 755.  The
config files are less of a concern, but may be overly restrictive.
Comment 1 Adam Tkac 2008-01-14 09:50:17 EST
You're right, there's really no benefit from 750 perms on binaries. But
configfiles (named.conf and all /var/named structure) should be readable only
with named group and root.
Comment 2 Bug Zapper 2008-05-14 00:19:43 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 3 Adam Tkac 2008-05-14 06:46:40 EDT
Fixed in bind-9.5.0-33.rc1.fc10

Note You need to log in before you can comment on or make changes to this bug.