Bug 427826 - too restrictive file modes on various files in the BIND package
Summary: too restrictive file modes on various files in the BIND package
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-07 18:22 UTC by Charles R. Anderson
Modified: 2013-04-30 23:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-05-14 10:46:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Charles R. Anderson 2008-01-07 18:22:26 UTC
Description of problem:

Many of the binaries in /usr/sbin/ are set to mode 750.  This isn't necessary
and causes problems (e.g. coredumps may not be created for binaries that aren't
world readable).  There is no security benefit to making regular (non-suid)
binaries in /usr/sbin/ restricted.

Other files have restrictive modes that should be reviewed to see if they are
really necessary, such as the configuration files (not private key data files)
logrotate configuration, stock/cached zone files, initscript, etc.

Version-Release number of selected component (if applicable):
9.5.0-23.b1.fc9
  
Actual results:

-rw-r-----    1 root    named             163 Dec 27 10:24 /etc/logrotate.d/named
-rw-r-----    1 root    named             997 Jun 14  2007 /etc/named.conf
-rw-r-----    1 root    named             931 Jun 21  2007 /etc/named.rfc1912.zones
-rwxr-xr--    1 root    root             6146 Dec 27 10:24 /etc/rc.d/init.d/named
-rw-r-----    1 root    named               0 Dec 27 10:24 /etc/rndc.conf
-rw-r-----    1 root    named             602 Dec 27 10:24 /etc/sysconfig/named
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/lwresd
-rwxr-x---    2 root    root           424996 Dec 27 10:24 /usr/sbin/named
-rwxr-x---    1 root    root             7382 Dec 27 10:24 /usr/sbin/named-bootconf
lrwxr-x---    1 root    root               15 Dec 27 10:24
/usr/sbin/named-compilezone -> named-checkzone
-rwxr-x---    1 root    root            25968 Dec 27 10:24 /usr/sbin/rndc
-rwxr-x---    1 root    root            13684 Dec 27 10:24 /usr/sbin/rndc-confgen

Expected results:

I would expect at least all the binaries and initscripts to be mode 755.  The
config files are less of a concern, but may be overly restrictive.

Comment 1 Adam Tkac 2008-01-14 14:50:17 UTC
You're right, there's really no benefit from 750 perms on binaries. But
configfiles (named.conf and all /var/named structure) should be readable only
with named group and root.

Comment 2 Bug Zapper 2008-05-14 04:19:43 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Adam Tkac 2008-05-14 10:46:40 UTC
Fixed in bind-9.5.0-33.rc1.fc10


Note You need to log in before you can comment on or make changes to this bug.