Subject: pkg/14876: named should never run as root, at least not by default
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 12/08/2001 19:36:17
>Number: 14876
>Category: pkg
>Synopsis: named should never run as root, at least not by default
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Dec 08 16:37:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Greg A. Woods
>Release: pkgsrc-current 2001/12/08
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD 1.5W
>Description:
named should never run as root -- a default nobody-like user
should always be used, at least by default. To that end the
pkgsrc module should always start it with a '-u' parameter.
Unfortunately with virgin BIND this means you need to make
/var/run writable by that user (or the primary group of that
user), which opens users of /etc/rc.d/named up to exploit by a
cracked named (i.e. root can be fooled into doing things to the
wrong process(es). While this might be less risky than simply
running named as root, it's still an unnacceptable level of
risk, especially since it would even effectively allow a cracker
to sort of reach out of a chroot jail!
The new patch to make named open and write the pid file before
it drops privileges was provided by Brett Eldridge
<beldridg@pobox.com> in response to my patch posted to BUGTRAQ
for allowing the same in the latest few BIND-8 releases.
Brett's patch is not perfect yet though as it stil fails on
'rndc reconfig' (this could probably most easily be fixed by
simply changing the pid-file writing function to check if it's
going to change the file before it attempts to open it for
writing). However even without reconfig support it's better
this way than making /var/run writable by the unprivileged user!
net/bind9 conflicts with net/bind8, and note also that bind-9
should probably always be built on a virgin machine with no
other version of bind-9 installed, at least until/unless the
package is buildlink enabled (include file issues, IIRC, though
potentially also ). I haven't verified this recently, but it
was true of an earlier 9.1.x release.
"/etc/rc.d/named9 status" should do something more intelligent
than just check the process with ps too...
other tiny nits are also fixed in the attached patch
>How-To-Repeat:
>Fix:
cvs diff: Diffing net/bind9
Index: net/bind9/Makefile
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/Makefile,v
retrieving revision 1.37
diff -c -r1.37 Makefile
*** net/bind9/Makefile 27 Nov 2001 03:38:40 -0000 1.37
--- net/bind9/Makefile 8 Dec 2001 20:28:44 -0000
***************
*** 9,17 ****
--- 9,22 ----
HOMEPAGE= http://www.isc.org/products/BIND/
COMMENT= Version 9 of the Berkeley Internet Name Daemon, implementation of DNS
+ # different versions cannot be built if it's already installed....
+ # also conflicts with ../net/bind8
+ CONFLICTS= bind-[0-9]*
+
# IPv6 ready, automatically detected
.include "../../mk/bsd.prefs.mk"
BUILD_DEFS+= USE_INET6
+ NAMED_USER?= dns
# No need to set USE_INET6, will auto-detect.
BIND_VERSION= 9.2.0
***************
*** 30,35 ****
--- 35,41 ----
post-build:
${SED} \
-e 's|@PREFIX@|${PREFIX}|' \
+ -e 's|@NAMED_USER@|${NAMED_USER}|' \
<${FILESDIR}/named.sh >${WRKDIR}/named
${SED} \
-e 's|@PREFIX@|${PREFIX}|' \
***************
*** 52,58 ****
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type f -print ) >> ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type d -print ) | \
${SED} -e 's/^/@dirrm /' | sort -r >> ${PLIST_SRC}
! ${INSTALL_DATA} ${WRKDIR}/named ${PREFIX}/etc/rc.d/named9
! ${INSTALL_DATA} ${WRKDIR}/lwresd ${PREFIX}/etc/rc.d/lwresd
.include "../../mk/bsd.pkg.mk"
--- 58,64 ----
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type f -print ) >> ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type d -print ) | \
${SED} -e 's/^/@dirrm /' | sort -r >> ${PLIST_SRC}
! ${INSTALL_SCRIPT} ${WRKDIR}/named ${PREFIX}/etc/rc.d/named9
! ${INSTALL_SCRIPT} ${WRKDIR}/lwresd ${PREFIX}/etc/rc.d/lwresd
.include "../../mk/bsd.pkg.mk"
Index: net/bind9/distinfo
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/distinfo,v
retrieving revision 1.5
diff -c -r1.5 distinfo
*** net/bind9/distinfo 27 Nov 2001 03:38:40 -0000 1.5
--- net/bind9/distinfo 7 Dec 2001 19:40:14 -0000
***************
*** 2,6 ****
--- 2,7 ----
SHA1 (bind/9.2.0/bind-9.2.0.tar.gz) = 5f6aaa25c4fb0326569203a11870c235d7ebf315
Size (bind/9.2.0/bind-9.2.0.tar.gz) = 4814337 bytes
+ SHA1 (patch-aa) = 80458af361e556c0cb3d95cd473f8e402f2989f4
SHA1 (patch-ab) = 1d3d82e3e01ac38e8a1b1d98e018849e8fe071bf
SHA1 (patch-ac) = 1696adfab7392e0f150d34931b808e51ad017938
cvs diff: Diffing net/bind9/files
Index: net/bind9/files/named.sh
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/files/named.sh,v
retrieving revision 1.1
diff -c -r1.1 named.sh
*** net/bind9/files/named.sh 26 Jan 2001 04:25:36 -0000 1.1
--- net/bind9/files/named.sh 8 Dec 2001 20:11:18 -0000
***************
*** 1,28 ****
! #!/bin/sh
# PROVIDE: named
# REQUIRE: SERVERS
. /etc/rc.subr
! name="named"
! rcvar=${name}9
command="@PREFIX@/sbin/${name}"
pidfile="/var/run/${name}.pid"
! extra_commands="reload"
load_rc_config ${name}9 # check /etc/rc.conf.d/named9
named_precmd()
{
! # Die if $named is also set (i.e. the system's named is not disabled
if checkyesno named ; then
! warn \
! "disable 'named' when setting 'named9'!"
return 1
fi
}
start_precmd="named_precmd"
run_rc_command "$1"
--- 1,44 ----
! #! /bin/sh
# PROVIDE: named
# REQUIRE: SERVERS
+ # XXX note the service provided should be something like "dnssrvr"
+
. /etc/rc.subr
! name="named" # This causes us to inherit $named_flags ...
! rcvar=${name}9 # ... but this gives us a separate yes/no var
!
! user_parameter="@NAMED_USER@" # DO NOT use 'named_user'!!!!
!
command="@PREFIX@/sbin/${name}"
+ command_args="-u ${user_parameter}"
pidfile="/var/run/${name}.pid"
+ required_files="/etc/${name}.conf"
! extra_commands="status info"
load_rc_config ${name}9 # check /etc/rc.conf.d/named9
named_precmd()
{
! # Die if $named is also set (i.e. if the original system version
! # of named is not disabled)
if checkyesno named ; then
! warn "disable 'named' when setting 'named9'!"
return 1
fi
}
start_precmd="named_precmd"
+
+ named_statuscmd()
+ {
+ rndc status
+ if [ $? -ne 0 -a ! -f ${pidfile} ] ; then
+ warn "${command} probably not running...."
+ fi
+ }
+ status_cmd="named_statuscmd"
run_rc_command "$1"
cvs diff: Diffing net/bind9/patches
Index: net/bind9/patches/patch-aa
===================================================================
RCS file: net/bind9/patches/patch-aa
diff -N net/bind9/patches/patch-aa
*** /dev/null 1 Jan 1970 00:00:00 -0000
--- net/bind9/patches/patch-aa 8 Dec 2001 20:25:51 -0000
***************
*** 0 ****
--- 1,33 ----
+ $NetBSD$
+
+ --- bin/named/server.c.orig 1 Dec 2001 03:32:20 -0000
+ +++ bin/named/server.c 7 Dec 2001 19:29:19 -0000
+ @@ -1950,6 +1950,14 @@
+ }
+ }
+
+ + obj = NULL;
+ + if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+ + ns_os_writepidfile(cfg_obj_asstring(obj));
+ + else if (ns_g_lwresdonly)
+ + ns_os_writepidfile(lwresd_g_defaultpidfile);
+ + else
+ + ns_os_writepidfile(ns_g_defaultpidfile);
+ +
+ /*
+ * Relinquish root privileges.
+ */
+ @@ -2031,13 +2039,6 @@
+ }
+ }
+
+ - obj = NULL;
+ - if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+ - ns_os_writepidfile(cfg_obj_asstring(obj));
+ - else if (ns_g_lwresdonly)
+ - ns_os_writepidfile(lwresd_g_defaultpidfile);
+ - else
+ - ns_os_writepidfile(ns_g_defaultpidfile);
+
+ obj = NULL;
+ result = ns_config_get(maps, "statistics-file", &obj);
cvs diff: Diffing net/bind9/pkg
>Release-Note:
>Audit-Trail:
>Unformatted: