permissions on /etc/namedb
Remko Lodder
remko at elvandar.org
Mon Aug 4 09:00:04 UTC 2008
On Mon, August 4, 2008 9:55 am, Eugene Grosbein wrote:
> On Sun, Aug 03, 2008 at 11:39:18PM -0700, Doug Barton wrote:
>
>> >>>>>I need /etc/namedb to be owned by root:bind and have permissions
>> 01775,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> >>>>>so bind may write to it but may not overwrite files that belong to
>> root
>> >>>>>here, and I made it so.
>> >>>>I understand your frustration with something having changed that you
>> >>>>did not expect. I would like to ask you though, what are you trying
>> to
>> >>>>accomplish here? What you suggested isn't really good from a
>> security
>> >>>>perspective because if an attacker does get in they can remove files
>> >>>>from the directory that are owned by root and replace them with
>> their
>> >>>>own versions.
>> >>>Can he? Doesn't sticky bit on the directory prevent him from that?
>> >>That's a question that you can and should answer for yourself.
>> >
>> >That was rhetorical quostion - I wished to give you a chance
>> >to correct yourself :-) Cheer :-)
>>
>> mkdir teststicky
>> chmod 1755 teststicky/
>> cd teststicky/
>> sudo touch foofile
>>
>> ls -la .
>> total 6
>> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:21 ./
>> -rw-r--r-- 1 root dougb 0 Aug 3 23:21 foofile
>>
>> rm foofile
>> override rw-r--r-- root/wheel for foofile? y
>>
>> ls -la
>> total 6
>> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:22 ./
>>
>> You might also want to read sticky(8), especially the bit where it
>> says, "A file in a sticky directory may only be removed or renamed by
>> a user if the user has write permission for the directory and the user
>> is ... the owner of the directory ..."
>
> Please reread the first line of quoted text in this message.
> Root is the owner of /etc/namedb for my case, and bind only have right
> to write to its own files and create new, not touch root-owned files.
>
>> >>I think that your idea of "BIND's working directory" is probably
>> >>flawed
>> >That's not my idea. From /var/log/messages:
>> >Aug 3 15:02:18 host named[657]: the working directory is not writable
>> That is a quaint reminder of a simpler time.
>
> [skip]
>
>> Also, I'm not sure whether you've actually looked at the default
>> named.conf or not, but the two most common files that someone would
>> want to write are the dump and statistics files, and there are already
>> suitable paths for those files provided, and the bind user can
>> actually write to them by default. It would be trivial to expand those
>> examples to other things that are of particular interest to you.
>
> The default named.conf contains the following line:
>
> directory "/etc/namedb";
>
> That is "the working directory" which is not writable to bind by default,
> hence mentioned line in /var/log/messages. I dislike when default
> configuration emits such warnings. So I decided to make it writable
> in hope this setup will save me from future problems while still secure.
>
> Eugene Grosbein
> _______________________________________________
Hello,
I like the unwriteable /etc/namedb directory for bind, so that one is
"forced" to create directories for bind, which it has write access to. You
do not want to clobber the /etc/namedb directory with files (imo) ;)
Cheers
remko
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder | remko at EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-net
mailing list