From owner-freebsd-net@FreeBSD.ORG Mon Aug 4 09:00:03 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D97B91065676 for ; Mon, 4 Aug 2008 09:00:03 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 8D9E18FC15 for ; Mon, 4 Aug 2008 09:00:03 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([::1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KPvgZ-000MxR-HU; Mon, 04 Aug 2008 10:44:59 +0200 Received: from 145.7.91.133 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Mon, 4 Aug 2008 10:44:59 +0200 (CEST) Message-ID: In-Reply-To: <20080804075510.GA28531@svzserv.kemerovo.su> References: <20080803073803.GA10321@grosbein.pp.ru> <4895EB57.2000801@FreeBSD.org> <20080803183346.GA53252@svzserv.kemerovo.su> <4896997D.8060001@FreeBSD.org> <20080804060658.GA19639@svzserv.kemerovo.su> <4896A416.80602@FreeBSD.org> <20080804075510.GA28531@svzserv.kemerovo.su> Date: Mon, 4 Aug 2008 10:44:59 +0200 (CEST) From: "Remko Lodder" To: "Eugene Grosbein" User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-net@freebsd.org, Doug Barton Subject: Re: permissions on /etc/namedb X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2008 09:00:04 -0000 On Mon, August 4, 2008 9:55 am, Eugene Grosbein wrote: > On Sun, Aug 03, 2008 at 11:39:18PM -0700, Doug Barton wrote: > >> >>>>>I need /etc/namedb to be owned by root:bind and have permissions >> 01775, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >>>>>so bind may write to it but may not overwrite files that belong to >> root >> >>>>>here, and I made it so. >> >>>>I understand your frustration with something having changed that you >> >>>>did not expect. I would like to ask you though, what are you trying >> to >> >>>>accomplish here? What you suggested isn't really good from a >> security >> >>>>perspective because if an attacker does get in they can remove files >> >>>>from the directory that are owned by root and replace them with >> their >> >>>>own versions. >> >>>Can he? Doesn't sticky bit on the directory prevent him from that? >> >>That's a question that you can and should answer for yourself. >> > >> >That was rhetorical quostion - I wished to give you a chance >> >to correct yourself :-) Cheer :-) >> >> mkdir teststicky >> chmod 1755 teststicky/ >> cd teststicky/ >> sudo touch foofile >> >> ls -la . >> total 6 >> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:21 ./ >> -rw-r--r-- 1 root dougb 0 Aug 3 23:21 foofile >> >> rm foofile >> override rw-r--r-- root/wheel for foofile? y >> >> ls -la >> total 6 >> drwxr-xr-t 2 dougb dougb 512 Aug 3 23:22 ./ >> >> You might also want to read sticky(8), especially the bit where it >> says, "A file in a sticky directory may only be removed or renamed by >> a user if the user has write permission for the directory and the user >> is ... the owner of the directory ..." > > Please reread the first line of quoted text in this message. > Root is the owner of /etc/namedb for my case, and bind only have right > to write to its own files and create new, not touch root-owned files. > >> >>I think that your idea of "BIND's working directory" is probably >> >>flawed >> >That's not my idea. From /var/log/messages: >> >Aug 3 15:02:18 host named[657]: the working directory is not writable >> That is a quaint reminder of a simpler time. > > [skip] > >> Also, I'm not sure whether you've actually looked at the default >> named.conf or not, but the two most common files that someone would >> want to write are the dump and statistics files, and there are already >> suitable paths for those files provided, and the bind user can >> actually write to them by default. It would be trivial to expand those >> examples to other things that are of particular interest to you. > > The default named.conf contains the following line: > > directory "/etc/namedb"; > > That is "the working directory" which is not writable to bind by default, > hence mentioned line in /var/log/messages. I dislike when default > configuration emits such warnings. So I decided to make it writable > in hope this setup will save me from future problems while still secure. > > Eugene Grosbein > _______________________________________________ Hello, I like the unwriteable /etc/namedb directory for bind, so that one is "forced" to create directories for bind, which it has write access to. You do not want to clobber the /etc/namedb directory with files (imo) ;) Cheers remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News