Bug 646510 - PowerDNS configuration is world-readable while it can contain passwords
Summary: PowerDNS configuration is world-readable while it can contain passwords
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: pdns
Version: el5
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Morten Stevens
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-25 14:19 UTC by Nils Breunese
Modified: 2012-11-17 01:03 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-11-17 01:03:39 UTC


Attachments (Terms of Use)

Description Nils Breunese 2010-10-25 14:19:31 UTC
Description of problem:

The PowerDNS configuration file /etc/pdns/pdns.conf is world-readable by default, but contains the webserver-password setting and if set this password can be seen by every system user.

Version-Release number of selected component (if applicable):

2.9.22-3.el5

Steps to Reproduce:
1. Set webserver=yes and webserver-password=<password> in /etc/pdns/pdns.conf
2. Restart PowerDNS: service pdns restart
3. Any system user can read the webserver password from /etc/pdns/pdns.conf and login to the PowerDNS webserver

Comment 1 Ruben Kerkhof 2010-10-25 14:34:59 UTC
But it doesn't contain a password by default, does it?
The webserver is also not started by default.

What I'm getting at is that if you take the effort to enable the webserver, you could also just make the config file not world-readable.

Comment 2 Nils Breunese 2010-10-25 14:37:29 UTC
It doesn't contain a password by default, but when using a backend which requires a password the same applies. I believe the gmysql backend is the most used backend, which needs the gmysql-password setting in pdns.conf.

Yes, the admin could make the config file not world-readable, but since it is so common to have passwords in there I think it should just be not world-readable by default.

Comment 3 Ruben Kerkhof 2010-10-25 14:42:25 UTC
Fair point :-)

I'll make the change.

Comment 4 Ruben Kerkhof 2010-12-14 17:29:32 UTC
Hmm, this is harder than I thought.

I'm wondering if it's enough to make the owner/group root:root, or if the pdns user also has to be able to read that file.

In the latter case we have to do some mangling of the permissions in %post, since the pdns user doesn't exist at %install time.

What do you think?

Comment 5 Nils Breunese 2010-12-14 18:01:25 UTC
My /etc/pdns/pdns.conf is 0600 and owned by root:root. Works just fine, so I don't think the pdns user has to be able to read that file. I believe the file is already owned by root:root in the current release, so only the mode needs to be changed to 0600 AFAIK.

Comment 6 Fedora Update System 2012-10-19 17:34:59 UTC
pdns-3.1-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/pdns-3.1-5.fc18

Comment 7 Fedora Update System 2012-10-19 19:28:59 UTC
pdns-3.1-4.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/pdns-3.1-4.fc17

Comment 8 Fedora Update System 2012-10-19 19:41:59 UTC
pdns-3.1-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pdns-3.1-4.fc16

Comment 9 Fedora Update System 2012-10-20 03:53:41 UTC
Package pdns-3.1-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pdns-3.1-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16534/pdns-3.1-5.fc18
then log in and leave karma (feedback).

Comment 10 Nils Breunese 2012-10-20 08:32:43 UTC
This bug report is for EPEL5. Will this also be fixed for the packages in EPEL?

Comment 11 Morten Stevens 2012-10-20 09:05:14 UTC
(In reply to comment #10)
> This bug report is for EPEL5. Will this also be fixed for the packages in
> EPEL?

Yes, I'll fix this also for epel5 and epel6.

Comment 12 Fedora Update System 2012-10-20 23:02:08 UTC
pdns-2.9.22.6-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-2.9.22.6-2.el6

Comment 13 Fedora Update System 2012-10-20 23:03:04 UTC
pdns-2.9.22-5.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/pdns-2.9.22-5.el5

Comment 14 Fedora Update System 2012-10-26 17:37:30 UTC
pdns-3.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-3.1-1.el6

Comment 15 Fedora Update System 2012-11-17 01:03:40 UTC
pdns-2.9.22-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.