Description of problem: /etc/rndc.key is readable for all, so any user can issue named commands like "rndc stop" to shut named down or other things. /usr/sbin/rndc is not readable for all users, but we usually then don't restrict the binary in this way, but keep the binary openly available. (Does not really count to the above mentioned item, but might be something to look at for testing purposes.) regards, Florian La Roche Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Confirmed, on a test RHEL5 system without bind-chroot, /etc/rndc.conf is mode 644
Thanks for report. This is pretty bad issue. Anyone could control server with self-compiled rndc (to bypass 750 rndc perms). I think this should be clone to z-stream
This problem only affects bind packages as shipped in Red Hat Enterprise Linux 5 and Fedora. If only affects system without recommended bind-chroot package installed, which reconfigures bind to run chrooted in /var/named/chroot directory. /var/named/chroot has correct permissions by default (root:named, 750). Version of bind as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 create rndc.conf file with sane permissions by default (root:named, 640). Possible impact - any user with access to system running bind can perform following actions using rndc: - stop named - change logging level of daemon by setting too low (malicious activity will not appear in the log) or too high (high disk usage due to lots of debug messages being logged) log level value - request configuration or zone file reload (contents of file is not controlled by unprivileged user) - disable updates of dynamic zone rndc installed without read and execute permission for other users does not provide sufficient protection, as described by reporter.
Possible workarounds for affected systems: - Manually fix permissions of rndc.key file: chmod 640 /etc/rndc.key chown root:named /etc/rndc.key OR - Install bind-chroot package and run bind chrooted in /var/named/chroot
Since the key could be stolen maybe a new key should get generated for existing rndc.key files? regards, Florian La Roche
(In reply to comment #5) > Since the key could be stolen maybe a new key should get generated for > existing rndc.key files? If it's possible that rndc key was compromised in the meantime, new one can be generated using /usr/sbin/dns-keygen . New key printed on standard output should be used in rndc.key file as new value for secret keyword and named has to be restarted / reload for the change to take effect. Example: # /usr/sbin/dns-keygen we2sIj37XBlBC0FslnmOhjVNCx3M4KbAOUpRxYndd7gdRra7ZZ5qdqwmCDVL Line with "secret" keyword in rndc.conf should be changed to: secret "we2sIj37XBlBC0FslnmOhjVNCx3M4KbAOUpRxYndd7gdRra7ZZ5qdqwmCDVL"; Florian, thanks for reminding that.
(In reply to comment #3) > This problem only affects bind packages as shipped in Red Hat Enterprise Linux 5 > and Fedora. Please report the affected distribution versions of Fedora. Thank you.
(In reply to comment #8) > (In reply to comment #3) > > This problem only affects bind packages as shipped in Red Hat Enterprise > > Linux 5 and Fedora. > > Please report the affected distribution versions of Fedora. Thank you. Sorry, no specific versions were listed as bind packages in all currently supported Fedora versions (7, 8 and rawhide) were affected by this issue. Please follow instructions in comment #4 and comment #6 if your configuration is affected and this issue may cause problems in your environment.
Created attachment 290037 [details] patch
(In reply to comment #10) > Created an attachment (id=290037) [edit] > patch > From F8 branch, other distributions will have appropriate version in trigger.
Created attachment 290038 [details] previous patch has typo
bind-9.5.0-20.b1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Just my 2 cents. After fixing permissions on /etc/rndc.conf, /usr/sbin/rndc could be freely installed as root:root 0755 (or as root:named 0750), so any administrator (or some kind of automated script or daemon, f.e. ldap2dnsd, that is running as the user in the 'named' group) who has been added to the 'named' group will be able reload nameserver. Regards, Vladislav Bogdanov.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0300.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4655