permissions on /etc/namedb

Doug Barton dougb at FreeBSD.org
Mon Aug 4 05:54:08 UTC 2008


Eugene Grosbein wrote:
> On Sun, Aug 03, 2008 at 10:31:03AM -0700, Doug Barton wrote:
> 
>>> I need /etc/namedb to be owned by root:bind and have permissions 01775,
>>> so bind may write to it but may not overwrite files that belong to root
>>> here, and I made it so. 
>> I understand your frustration with something having changed that you 
>> did not expect. I would like to ask you though, what are you trying to 
>> accomplish here? What you suggested isn't really good from a security 
>> perspective because if an attacker does get in they can remove files 
>> from the directory that are owned by root and replace them with their 
>> own versions.
> 
> Can he? Doesn't sticky bit on the directory prevent him from that?

That's a question that you can and should answer for yourself. (In 
fact one could argue that you should have answered that for yourself 
before you tried to set it up that way, but I digress.) :)

>> If you give me a better idea what you're trying to do then I can give 
>> you some suggestions on how to make it happen.
> 
> Well, I just want bind be allowed to write to is working directory.

I think that your idea of "BIND's working directory" is probably 
flawed, but if what you want is to make /etc/namedb writable by the 
bind user and have it persist from boot to boot someone else already 
told you how to do that, so good luck.


Doug
PS, if you get pWn3d I don't want to hear any whinging. :)

-- 

     This .signature sanitized for your protection



More information about the freebsd-net mailing list