NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/53652: Change permission of namedb directory
>Number: 53652
>Category: bin
>Synopsis: Change permisiion of namedb directory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Oct 06 16:15:00 +0000 2018
>Originator: Takahiro Kambe
>Release: NetBSD 8.99.25
>Organization:
>Environment:
System: NetBSD currnet.a.back-street.net 8.99.25 NetBSD 8.99.25 (VMWARE-F10) #1: Mon Oct 1 01:14:33 JST 2018 taca%currnet.a.back-street.net@localhost:/data/amd64/obj/sys/arch/amd64/compile/VMWARE-F10 amd64
Architecture: x86_64
Machine: amd64
>Description:
Recent BIND assume current directory which is specified by
"directory" statement in "options" section is writable by
named process. Especially, when "named_chrootdir" is set to
"/var/chroot/named" in /etc/rc.conf:
* Checking for KSK roleover, "rndc secroots" would fail by
trying to write to /var/chroot/named/etc/namedb directory
with "named" user.
* BIND 9.11 and later from pkgsrc, named dose not start checking
to writable to /var/chroot/named/etc/namedb directory.
>How-To-Repeat:
Install pkgsrc/net/bind911 and start it from /etc/rc.d/named9.
>Fix:
Possible fix with allowing to write by group permission.
1. Adding /var/chroot/named/etc/namedb/nta to /etc/mtree/special
2. Remove extra type=dir ?
diff --git a/etc/mtree/NetBSD.dist.base b/etc/mtree/NetBSD.dist.base
index 3a488bacfc..cb40dd1518 100644
--- a/etc/mtree/NetBSD.dist.base
+++ b/etc/mtree/NetBSD.dist.base
@@ -37,7 +37,7 @@
./etc/kyua
./etc/mail
./etc/mtree
-./etc/namedb
+./etc/namedb mode=0775 gname=named
./etc/nsd
./etc/openldap
./etc/openssl
@@ -1259,10 +1259,10 @@
./var/chroot/named
./var/chroot/named/dev
./var/chroot/named/etc
-./var/chroot/named/etc/namedb
-./var/chroot/named/etc/namedb/cache mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/keys type=dir mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/nta type=dir mode=0775 uname=named gname=named
+./var/chroot/named/etc/namedb mode=0775 gname=named
+./var/chroot/named/etc/namedb/cache mode=0775 gname=named
+./var/chroot/named/etc/namedb/keys mode=0775 gname=named
+./var/chroot/named/etc/namedb/nta mode=0775 gname=named
./var/chroot/named/usr
./var/chroot/named/usr/libexec
./var/chroot/named/var
diff --git a/etc/mtree/special b/etc/mtree/special
index e38be7ceab..cb576692ad 100644
--- a/etc/mtree/special
+++ b/etc/mtree/special
@@ -123,7 +123,7 @@
./etc/mygate6 type=file mode=0644 optional
./etc/myname type=file mode=0644 optional
./etc/named.conf type=file mode=0644 optional
-./etc/namedb type=dir mode=0755
+./etc/namedb type=dir mode=0775 gname=named
./etc/netconfig type=file mode=0644
./etc/netgroup type=file mode=0644 optional
./etc/netstart.local type=file mode=0644 optional
@@ -400,9 +400,10 @@
./var/chroot/named type=dir mode=0755
./var/chroot/named/dev type=dir mode=0755
./var/chroot/named/etc type=dir mode=0755
-./var/chroot/named/etc/namedb type=dir mode=0755
-./var/chroot/named/etc/namedb/cache type=dir mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/keys type=dir mode=0775 uname=named gname=named
+./var/chroot/named/etc/namedb type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/cache type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/keys type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/nta type=dir mode=0775 gname=named
./var/chroot/named/usr type=dir mode=0755
./var/chroot/named/usr/libexec type=dir mode=0755
./var/chroot/named/var type=dir mode=0755
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index