New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect permissions for created configuration files #320

Closed
karlism opened this Issue May 31, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@karlism

karlism commented May 31, 2016

BIND configuration files that are created by facileManager have incorrect permissions:

$ pwd
/var/named/chroot/etc
$ ls -la named.conf*
-rw-r--r--. 1 named root 703 May 31 12:33 named.conf
-rw-r--r--. 1 named root 193 May 31 12:33 named.conf.keys
I don't think that named user should have rw access to named.conf file considering that it only needs to read it.
named.conf.keys file should also have stricter permissions and shouldn't be readable by anyone (except root and named users) because it contains sensitive information.

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented May 31, 2016

Thanks for the suggestion. fmDNS creates the files with permissions based on the default install of bind9 (Debian-based) and bind (RHEL-based). It shouldn't be much effort to change the permissions in the code.

@karlism

This comment has been minimized.

karlism commented Jun 1, 2016

I've just installed bind-9.9.4-29.el7_2.3 on CentOS 7 and default file permissions are following:
$ ls -la /etc/named.conf
-rw-r-----. 1 root named 1558 Jun 1 2015 /etc/named.conf

As for the key files, the only available keys in default installation are ISC public keys, which are not supposed to be secret:
$ ls -la /etc/named.*.key
-rw-r--r--. 1 root named 2389 Mar 16 15:40 /etc/named.iscdlv.key
-rw-r--r--. 1 root named 487 Jul 19 2010 /etc/named.root.key

@WillyXJ WillyXJ added the Security label Jun 1, 2016

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Jun 1, 2016

Ah, after the files are written to disk, a chown is run instead of a chgrp which allows named to write slave files; however, it inadvertantly allows named to write to configuration files. This will need to be fixed.

WillyXJ added a commit that referenced this issue Jul 21, 2016

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Jul 22, 2016

This has been fixed in v2.2.4.

@WillyXJ WillyXJ closed this Jul 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment