Description of problem:
/etc/rndc.key is readable for all, so any user can issue named commands
like "rndc stop" to shut named down or other things.
/usr/sbin/rndc is not readable for all users, but we usually then don't
restrict the binary in this way, but keep the binary openly available.
(Does not really count to the above mentioned item, but might be something
to look at for testing purposes.)
Florian La Roche
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Confirmed, on a test RHEL5 system without bind-chroot, /etc/rndc.conf is mode 644
Thanks for report. This is pretty bad issue. Anyone could control server with
self-compiled rndc (to bypass 750 rndc perms). I think this should be clone to
This problem only affects bind packages as shipped in Red Hat Enterprise Linux 5
and Fedora. If only affects system without recommended bind-chroot package
installed, which reconfigures bind to run chrooted in /var/named/chroot
directory. /var/named/chroot has correct permissions by default (root:named, 750).
Version of bind as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 create
rndc.conf file with sane permissions by default (root:named, 640).
Possible impact - any user with access to system running bind can perform
following actions using rndc:
- stop named
- change logging level of daemon by setting too low (malicious activity will not
appear in the log) or too high (high disk usage due to lots of debug messages
being logged) log level value
- request configuration or zone file reload (contents of file is not controlled
by unprivileged user)
- disable updates of dynamic zone
rndc installed without read and execute permission for other users does not
provide sufficient protection, as described by reporter.
Possible workarounds for affected systems:
- Manually fix permissions of rndc.key file:
chmod 640 /etc/rndc.key
chown root:named /etc/rndc.key
- Install bind-chroot package and run bind chrooted in /var/named/chroot
Since the key could be stolen maybe a new key should get generated for
existing rndc.key files?
Florian La Roche
(In reply to comment #5)
> Since the key could be stolen maybe a new key should get generated for
> existing rndc.key files?
If it's possible that rndc key was compromised in the meantime, new one can be
generated using /usr/sbin/dns-keygen . New key printed on standard output
should be used in rndc.key file as new value for secret keyword and named has to
be restarted / reload for the change to take effect.
Line with "secret" keyword in rndc.conf should be changed to:
Florian, thanks for reminding that.
(In reply to comment #3)
> This problem only affects bind packages as shipped in Red Hat Enterprise Linux 5
> and Fedora.
Please report the affected distribution versions of Fedora. Thank you.
(In reply to comment #8)
> (In reply to comment #3)
> > This problem only affects bind packages as shipped in Red Hat Enterprise
> > Linux 5 and Fedora.
> Please report the affected distribution versions of Fedora. Thank you.
Sorry, no specific versions were listed as bind packages in all currently
supported Fedora versions (7, 8 and rawhide) were affected by this issue.
Please follow instructions in comment #4 and comment #6 if your configuration is
affected and this issue may cause problems in your environment.
Created attachment 290037 [details]
(In reply to comment #10)
> Created an attachment (id=290037) 
From F8 branch, other distributions will have appropriate version in trigger.
Created attachment 290038 [details]
previous patch has typo
bind-9.5.0-20.b1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Just my 2 cents.
After fixing permissions on /etc/rndc.conf, /usr/sbin/rndc could be freely
installed as root:root 0755 (or as root:named 0750), so any administrator (or
some kind of automated script or daemon, f.e. ldap2dnsd, that is running as the
user in the 'named' group) who has been added to the 'named' group will be able
This issue was addressed in:
Red Hat Enterprise Linux: