Date: Mon, 4 Aug 2008 15:55:10 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Doug Barton <dougb@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: permissions on /etc/namedb Message-ID: <20080804075510.GA28531@svzserv.kemerovo.su> In-Reply-To: <4896A416.80602@FreeBSD.org> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org> <20080803183346.GA53252@svzserv.kemerovo.su> <4896997D.8060001@FreeBSD.org> <20080804060658.GA19639@svzserv.kemerovo.su> <4896A416.80602@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 03, 2008 at 11:39:18PM -0700, Doug Barton wrote:
> >>>>>I need /etc/namedb to be owned by root:bind and have permissions 01775,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>>>so bind may write to it but may not overwrite files that belong to root
> >>>>>here, and I made it so.
> >>>>I understand your frustration with something having changed that you
> >>>>did not expect. I would like to ask you though, what are you trying to
> >>>>accomplish here? What you suggested isn't really good from a security
> >>>>perspective because if an attacker does get in they can remove files
> >>>>from the directory that are owned by root and replace them with their
> >>>>own versions.
> >>>Can he? Doesn't sticky bit on the directory prevent him from that?
> >>That's a question that you can and should answer for yourself.
> >
> >That was rhetorical quostion - I wished to give you a chance
> >to correct yourself :-) Cheer :-)
>
> mkdir teststicky
> chmod 1755 teststicky/
> cd teststicky/
> sudo touch foofile
>
> ls -la .
> total 6
> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:21 ./
> -rw-r--r-- 1 root dougb 0 Aug 3 23:21 foofile
>
> rm foofile
> override rw-r--r-- root/wheel for foofile? y
>
> ls -la
> total 6
> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:22 ./
>
> You might also want to read sticky(8), especially the bit where it
> says, "A file in a sticky directory may only be removed or renamed by
> a user if the user has write permission for the directory and the user
> is ... the owner of the directory ..."
Please reread the first line of quoted text in this message.
Root is the owner of /etc/namedb for my case, and bind only have right
to write to its own files and create new, not touch root-owned files.
> >>I think that your idea of "BIND's working directory" is probably
> >>flawed
> >That's not my idea. From /var/log/messages:
> >Aug 3 15:02:18 host named[657]: the working directory is not writable
> That is a quaint reminder of a simpler time.
[skip]
> Also, I'm not sure whether you've actually looked at the default
> named.conf or not, but the two most common files that someone would
> want to write are the dump and statistics files, and there are already
> suitable paths for those files provided, and the bind user can
> actually write to them by default. It would be trivial to expand those
> examples to other things that are of particular interest to you.
The default named.conf contains the following line:
directory "/etc/namedb";
That is "the working directory" which is not writable to bind by default,
hence mentioned line in /var/log/messages. I dislike when default
configuration emits such warnings. So I decided to make it writable
in hope this setup will save me from future problems while still secure.
Eugene Grosbein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080804075510.GA28531>