From owner-freebsd-net@FreeBSD.ORG  Mon Aug  4 07:55:14 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 70FF2106566B;
	Mon,  4 Aug 2008 07:55:14 +0000 (UTC)
	(envelope-from eugen@kuzbass.ru)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])
	by mx1.freebsd.org (Postfix) with ESMTP id B9BB48FC1C;
	Mon,  4 Aug 2008 07:55:13 +0000 (UTC)
	(envelope-from eugen@kuzbass.ru)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m747tAXm030462;
	Mon, 4 Aug 2008 15:55:10 +0800 (KRAST)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m747tAVg030461;
	Mon, 4 Aug 2008 15:55:10 +0800 (KRAST) (envelope-from eugen)
Date: Mon, 4 Aug 2008 15:55:10 +0800
From: Eugene Grosbein <eugen@kuzbass.ru>
To: Doug Barton <dougb@freebsd.org>
Message-ID: <20080804075510.GA28531@svzserv.kemerovo.su>
References: <20080803073803.GA10321@grosbein.pp.ru>
	<4895EB57.2000801@FreeBSD.org>
	<20080803183346.GA53252@svzserv.kemerovo.su>
	<4896997D.8060001@FreeBSD.org>
	<20080804060658.GA19639@svzserv.kemerovo.su>
	<4896A416.80602@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4896A416.80602@FreeBSD.org>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-net@freebsd.org
Subject: Re: permissions on /etc/namedb
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2008 07:55:14 -0000

On Sun, Aug 03, 2008 at 11:39:18PM -0700, Doug Barton wrote:

> >>>>>I need /etc/namedb to be owned by root:bind and have permissions 01775,
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>>>so bind may write to it but may not overwrite files that belong to root
> >>>>>here, and I made it so. 
> >>>>I understand your frustration with something having changed that you 
> >>>>did not expect. I would like to ask you though, what are you trying to 
> >>>>accomplish here? What you suggested isn't really good from a security 
> >>>>perspective because if an attacker does get in they can remove files 
> >>>>from the directory that are owned by root and replace them with their 
> >>>>own versions.
> >>>Can he? Doesn't sticky bit on the directory prevent him from that?
> >>That's a question that you can and should answer for yourself.
> >
> >That was rhetorical quostion - I wished to give you a chance
> >to correct yourself :-) Cheer :-)
> 
> mkdir teststicky
> chmod 1755 teststicky/
> cd teststicky/
> sudo touch foofile
> 
> ls -la .
> total 6
> drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:21 ./
> -rw-r--r--   1 root   dougb     0 Aug  3 23:21 foofile
> 
> rm foofile
> override rw-r--r--  root/wheel for foofile? y
> 
> ls -la
> total 6
> drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:22 ./
> 
> You might also want to read sticky(8), especially the bit where it 
> says, "A file in a sticky directory may only be removed or renamed by 
> a user if the user has write permission for the directory and the user 
> is ... the owner of the directory ..."

Please reread the first line of quoted text in this message. 
Root is the owner of /etc/namedb for my case, and bind only have right
to write to its own files and create new, not touch root-owned files. 

> >>I think that your idea of "BIND's working directory" is probably 
> >>flawed
> >That's not my idea. From /var/log/messages:
> >Aug  3 15:02:18 host named[657]: the working directory is not writable
> That is a quaint reminder of a simpler time.

[skip]

> Also, I'm not sure whether you've actually looked at the default 
> named.conf or not, but the two most common files that someone would 
> want to write are the dump and statistics files, and there are already 
> suitable paths for those files provided, and the bind user can 
> actually write to them by default. It would be trivial to expand those 
> examples to other things that are of particular interest to you.

The default named.conf contains the following line:

	directory       "/etc/namedb";

That is "the working directory" which is not writable to bind by default,
hence mentioned line in /var/log/messages. I dislike when default
configuration emits such warnings. So I decided to make it writable
in hope this setup will save me from future problems while still secure.

Eugene Grosbein