Description of problem:
The PowerDNS configuration file /etc/pdns/pdns.conf is world-readable by default, but contains the webserver-password setting and if set this password can be seen by every system user.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set webserver=yes and webserver-password=<password> in /etc/pdns/pdns.conf
2. Restart PowerDNS: service pdns restart
3. Any system user can read the webserver password from /etc/pdns/pdns.conf and login to the PowerDNS webserver
But it doesn't contain a password by default, does it?
The webserver is also not started by default.
What I'm getting at is that if you take the effort to enable the webserver, you could also just make the config file not world-readable.
It doesn't contain a password by default, but when using a backend which requires a password the same applies. I believe the gmysql backend is the most used backend, which needs the gmysql-password setting in pdns.conf.
Yes, the admin could make the config file not world-readable, but since it is so common to have passwords in there I think it should just be not world-readable by default.
Fair point :-)
I'll make the change.
Hmm, this is harder than I thought.
I'm wondering if it's enough to make the owner/group root:root, or if the pdns user also has to be able to read that file.
In the latter case we have to do some mangling of the permissions in %post, since the pdns user doesn't exist at %install time.
What do you think?
My /etc/pdns/pdns.conf is 0600 and owned by root:root. Works just fine, so I don't think the pdns user has to be able to read that file. I believe the file is already owned by root:root in the current release, so only the mode needs to be changed to 0600 AFAIK.
pdns-3.1-5.fc18 has been submitted as an update for Fedora 18.
pdns-3.1-4.fc17 has been submitted as an update for Fedora 17.
pdns-3.1-4.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pdns-3.1-5.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
This bug report is for EPEL5. Will this also be fixed for the packages in EPEL?
(In reply to comment #10)
> This bug report is for EPEL5. Will this also be fixed for the packages in
Yes, I'll fix this also for epel5 and epel6.
pdns-220.127.116.11-2.el6 has been submitted as an update for Fedora EPEL 6.
pdns-2.9.22-5.el5 has been submitted as an update for Fedora EPEL 5.
pdns-3.1-1.el6 has been submitted as an update for Fedora EPEL 6.
pdns-2.9.22-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.