Date: Sun, 03 Aug 2008 23:39:18 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Eugene Grosbein <eugen@kuzbass.ru> Cc: freebsd-net@FreeBSD.org Subject: Re: permissions on /etc/namedb Message-ID: <4896A416.80602@FreeBSD.org> In-Reply-To: <20080804060658.GA19639@svzserv.kemerovo.su> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org> <20080803183346.GA53252@svzserv.kemerovo.su> <4896997D.8060001@FreeBSD.org> <20080804060658.GA19639@svzserv.kemerovo.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote: > On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote: > >>>>> I need /etc/namedb to be owned by root:bind and have permissions 01775, >>>>> so bind may write to it but may not overwrite files that belong to root >>>>> here, and I made it so. >>>> I understand your frustration with something having changed that you >>>> did not expect. I would like to ask you though, what are you trying to >>>> accomplish here? What you suggested isn't really good from a security >>>> perspective because if an attacker does get in they can remove files >>> >from the directory that are owned by root and replace them with their >>>> own versions. >>> Can he? Doesn't sticky bit on the directory prevent him from that? >> That's a question that you can and should answer for yourself. > > That was rhetorical quostion - I wished to give you a chance > to correct yourself :-) Cheer :-) mkdir teststicky chmod 1755 teststicky/ cd teststicky/ sudo touch foofile ls -la . total 6 drwxr-xr-t 2 dougb dougb 512 Aug 3 23:21 ./ -rw-r--r-- 1 root dougb 0 Aug 3 23:21 foofile rm foofile override rw-r--r-- root/wheel for foofile? y ls -la total 6 drwxr-xr-t 2 dougb dougb 512 Aug 3 23:22 ./ You might also want to read sticky(8), especially the bit where it says, "A file in a sticky directory may only be removed or renamed by a user if the user has write permission for the directory and the user is ... the owner of the directory ..." >>>> If you give me a better idea what you're trying to do then I can give >>>> you some suggestions on how to make it happen. >>> Well, I just want bind be allowed to write to is working directory. >> I think that your idea of "BIND's working directory" is probably >> flawed > > That's not my idea. From /var/log/messages: > > Aug 3 15:02:18 host named[657]: the working directory is not writable That is a quaint reminder of a simpler time. It's far better nowadays to separate the idea of configuration directories and directories that named should write to. (One could easily make the argument that this division should have been enforced from the start, and personally I never liked having named dropping stuff all over my config directory, but I digress.) >> but if what you want is to make /etc/namedb writable by the >> bind user and have it persist from boot to boot someone else already >> told you how to do that, so good luck. > > Sigh... I have to study mtree now. If it takes you more than 5 minutes, give up. :) > And for what reason? Just because the system thinks it knows better what user needs. You previously agreed with me that the defaults should be appropriate for non-expert users, and I would still argue that they are. Also, I'm not sure whether you've actually looked at the default named.conf or not, but the two most common files that someone would want to write are the dump and statistics files, and there are already suitable paths for those files provided, and the bind user can actually write to them by default. It would be trivial to expand those examples to other things that are of particular interest to you. Meanwhile, it's obvious to me that you are determined to go a certain direction with this, so once again I wish you luck. Doug -- This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4896A416.80602>