Bug#169577: bind9: Ownership of /etc/bind/rndc.key is the problem.

Wed, 30 Dec 2009 12:11:30 -0800 

On Fri, 09 Jan 2009 00:00:15 +1100 Bruce Tulloch wrote
> This bug still exists in lenny as of today (bind9/1:9.5.0.dfsg.P2-4)
> despite it being reported as fixed in bind9/1:9.5.0.dfsg.P2-1.

Also exists today with bind9/lenny uptodate 1:9.5.1.dfsg.P3-1+lenny1
(presumably after the DNS cache poisoning update CVE-2009-4022)

> Clearly the maintainer scripts in bind9/1:9.5.0.dfsg.P2-4 are *still*
> setting the ownership permissions for /etc/bind/rndc.key incorrectly. 

I also think so :-(

> What is not clear to me is why ownership of bind.bind does not work.

I'd guess it's because of no capabilities settings. It does:

25342 capget(0x20080522, 0, NULL)       = -1 EFAULT (Bad address)
25342 capget(0x20080522, 0, NULL)       = -1 EFAULT (Bad address)
25342 capget(0x20080522, 0, 
{CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_SYS_CHROOT|CAP_SYS_RESOURCE,
 
CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_SYS_CHROOT|CAP_SYS_RESOURCE,
 0}) = 0
25342 getuid()                          = 0
25342 capset(0x20080522, 0, {CAP_NET_BIND_SERVICE|CAP_SYS_RESOURCE, 
CAP_NET_BIND_SERVICE|CAP_SYS_RESOURCE, 0}) = 0

and then, with /etc/bind/rndc.key owned by bind:bind, rw-r-----,
and no setuid, it runs the following sequence (all but the last
line are for context)

25344 open("/etc/bind/named.conf", O_RDONLY) = 9
25344 fstat(9, {st_mode=S_IFREG|0640, st_size=1091, ...}) = 0
25344 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7f48e9616000
25344 read(9, "// This is the primary configurat"..., 4096) = 1091
25344 open("/etc/bind/named.conf.options", O_RDONLY) = 10
25344 fstat(10, {st_mode=S_IFREG|0640, st_size=2786, ...}) = 0
25344 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7f48e9615000
25344 read(10, "acl trusted_ns {\n\t194.243.254.162"..., 4096) = 2786
25344 open("/etc/bind/rndc.key", O_RDONLY) = -1 EACCES (Permission denied)

And thereafter fails.

The usual workaround, chown root /etc/bind/rndc.key, still works...



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to