permissions on /etc/namedb

Eugene Grosbein eugen at kuzbass.ru
Mon Aug 4 07:55:14 UTC 2008 

On Sun, Aug 03, 2008 at 11:39:18PM -0700, Doug Barton wrote:

> >>>>>I need /etc/namedb to be owned by root:bind and have permissions 01775,
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>>>so bind may write to it but may not overwrite files that belong to root
> >>>>>here, and I made it so. 
> >>>>I understand your frustration with something having changed that you 
> >>>>did not expect. I would like to ask you though, what are you trying to 
> >>>>accomplish here? What you suggested isn't really good from a security 
> >>>>perspective because if an attacker does get in they can remove files 
> >>>>from the directory that are owned by root and replace them with their 
> >>>>own versions.
> >>>Can he? Doesn't sticky bit on the directory prevent him from that?
> >>That's a question that you can and should answer for yourself.
> >
> >That was rhetorical quostion - I wished to give you a chance
> >to correct yourself :-) Cheer :-)
> 
> mkdir teststicky
> chmod 1755 teststicky/
> cd teststicky/
> sudo touch foofile
> 
> ls -la .
> total 6
> drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:21 ./
> -rw-r--r--   1 root   dougb     0 Aug  3 23:21 foofile
> 
> rm foofile
> override rw-r--r--  root/wheel for foofile? y
> 
> ls -la
> total 6
> drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:22 ./
> 
> You might also want to read sticky(8), especially the bit where it 
> says, "A file in a sticky directory may only be removed or renamed by 
> a user if the user has write permission for the directory and the user 
> is ... the owner of the directory ..."

Please reread the first line of quoted text in this message. 
Root is the owner of /etc/namedb for my case, and bind only have right
to write to its own files and create new, not touch root-owned files. 

> >>I think that your idea of "BIND's working directory" is probably 
> >>flawed
> >That's not my idea. From /var/log/messages:
> >Aug  3 15:02:18 host named[657]: the working directory is not writable
> That is a quaint reminder of a simpler time.

[skip]

> Also, I'm not sure whether you've actually looked at the default 
> named.conf or not, but the two most common files that someone would 
> want to write are the dump and statistics files, and there are already 
> suitable paths for those files provided, and the bind user can 
> actually write to them by default. It would be trivial to expand those 
> examples to other things that are of particular interest to you.

The default named.conf contains the following line:

	directory       "/etc/namedb";

That is "the working directory" which is not writable to bind by default,
hence mentioned line in /var/log/messages. I dislike when default
configuration emits such warnings. So I decided to make it writable
in hope this setup will save me from future problems while still secure.

Eugene Grosbein

More information about the freebsd-net mailing list