On Wed, 29 Oct 2008, Chris Buxton wrote: > On Oct 29, 2008, at 10:59 AM, David Forrest wrote: >> Currently /etc/update-keys has mode 600, which, because dhcpd runs as >> root appears to do the same as using a common group. I am just >> considering what havoc could result from a hacked named by allowing the >> rogue user named to read the secret and poison an internal view zone >> file. I do not use nsupdate on my external view zones as they haven't >> changed in years and I can put up with the [rndc freeze; vi <zone>; >> rndc thaw] procedure. I'm thinking the hacker could not do much as user >> named with nsupdate anyway but just asking, "Is it wise?" > > Your name server needs to be able to read the keys. Period. You can't > avoid this, other than not using keys (not recommended). > > It's true that an attacker who broke in through the named process > could then read the keys and perform mischief thereafter with your > zone data. The only thing you can do to mitigate this beyond running a > current version of named is to try to stop someone from breaking in > through named. That means using hardening tools such as an intrusion > prevention system (IPS), a mandatory access control system (MAC), and > hardening compiler tools when building named (including enabling PIC > in the ./configure step). > > However, named itself is pretty secure, and there haven't been many > code-execution exploits in recent years. That isn't to say one won't > be discovered and exploited before you have a chance to update, only > that it isn't a common occurrence. > > Chris Buxton > Professional Services > Men & Mice
I understand. I went to using the update-keys file to avoid putting the key in plaintext in named.conf. I thought bind read the conf file before it dropped root privileges and changed to the user with the -u option. It seems that reading it after becoming an unprivileged user negates some of the advantages of keeping the key secret. I did have the key in the conf file and, while it may seem more private in a key file, it turns out to not be the case. I will have to live with it though. Thanks for the comment, Dave David Forrest e-mail: drf @ maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri
