permissions on /etc/namedb

Doug Barton dougb at FreeBSD.org
Mon Aug 4 06:39:21 UTC 2008 

Eugene Grosbein wrote:
> On Sun, Aug 03, 2008 at 10:54:05PM -0700, Doug Barton wrote:
> 
>>>>> I need /etc/namedb to be owned by root:bind and have permissions 01775,
>>>>> so bind may write to it but may not overwrite files that belong to root
>>>>> here, and I made it so. 
>>>> I understand your frustration with something having changed that you 
>>>> did not expect. I would like to ask you though, what are you trying to 
>>>> accomplish here? What you suggested isn't really good from a security 
>>>> perspective because if an attacker does get in they can remove files 
>>> >from the directory that are owned by root and replace them with their 
>>>> own versions.
>>> Can he? Doesn't sticky bit on the directory prevent him from that?
>> That's a question that you can and should answer for yourself.
> 
> That was rhetorical quostion - I wished to give you a chance
> to correct yourself :-) Cheer :-)

mkdir teststicky
chmod 1755 teststicky/
cd teststicky/
sudo touch foofile

ls -la .
total 6
drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:21 ./
-rw-r--r--   1 root   dougb     0 Aug  3 23:21 foofile

rm foofile
override rw-r--r--  root/wheel for foofile? y

ls -la
total 6
drwxr-xr-t   2 dougb  dougb   512 Aug  3 23:22 ./

You might also want to read sticky(8), especially the bit where it 
says, "A file in a sticky directory may only be removed or renamed by 
a user if the user has write permission for the directory and the user 
is ... the owner of the directory ..."

>>>> If you give me a better idea what you're trying to do then I can give 
>>>> you some suggestions on how to make it happen.
>>> Well, I just want bind be allowed to write to is working directory.
>> I think that your idea of "BIND's working directory" is probably 
>> flawed
> 
> That's not my idea. From /var/log/messages:
> 
> Aug  3 15:02:18 host named[657]: the working directory is not writable

That is a quaint reminder of a simpler time. It's far better nowadays 
to separate the idea of configuration directories and directories that 
named should write to. (One could easily make the argument that this 
division should have been enforced from the start, and personally I 
never liked having named dropping stuff all over my config directory, 
but I digress.)

>> but if what you want is to make /etc/namedb writable by the 
>> bind user and have it persist from boot to boot someone else already 
>> told you how to do that, so good luck.
> 
> Sigh... I have to study mtree now.

If it takes you more than 5 minutes, give up. :)

> And for what reason? Just because the system thinks it knows better what user needs.

You previously agreed with me that the defaults should be appropriate 
for non-expert users, and I would still argue that they are.

Also, I'm not sure whether you've actually looked at the default 
named.conf or not, but the two most common files that someone would 
want to write are the dump and statistics files, and there are already 
suitable paths for those files provided, and the bind user can 
actually write to them by default. It would be trivial to expand those 
examples to other things that are of particular interest to you.

Meanwhile, it's obvious to me that you are determined to go a certain 
direction with this, so once again I wish you luck.


Doug

-- 

     This .signature sanitized for your protection

More information about the freebsd-net mailing list