netbsd-bugs: Re: pkg/14876

Subject: Re: pkg/14876
To: None <tron@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 03/17/2005 13:09:11
[ On Thursday, March 17, 2005 at 15:42:36 (+0000), tron@netbsd.org wrote: ]
> Subject: Re: pkg/14876
>
> Synopsis: named should never run as root, at least not by default
> 
> State-Changed-From-To: open->closed
> State-Changed-By: tron@netbsd.org
> State-Changed-When: Thu, 17 Mar 2005 15:42:36 +0000
> State-Changed-Why:
> I want the BIND 9 package to be a drop in replacement for the name server
> in NetBSD's base distribution. It will therefore use the same defaults.
> 
> If you want this to get change (which is probably a good idea) submit
> a PR against NetBSD's default settings in "/etc/defaults/rc.conf".

If you care to look at /etc/rc.d/named on any modern system (including
1.6), you'll find that '-u named' is always passed to named.

However pkgsrc is intended to run on non-modern systems, and non-NetBSD
systems, so its own rc.d script for net/bind8 and net/bind9 should mimic
the same behaviour.

I.e. you of all people need to remember that pkgsrc is not NetBSD
specific and making the BIND-9 package a secure way to install and use
BIND-9 on other systems must also be a requirement.

Finally if you look at some of the changes I submitted you'll find they
are NECESSARY if bind9 is ever to start properly and securely as a
non-root user on any system where root blindly trusts the content of
/var/run files (e.g. NetBSD).  I.e. at least some of the changes I
submit are critically necessary if the native rc.d script is used!
(Note that the BIND developers feel the security issues related to
having a /var/run that's writable by the user and/or group an attacker
would gain access to by successfully exploiting named is a
system-specific issue and not one germane to BIND itself.)

And BTW, BIND-9 cannot currently be a clean drop-in replacement for the
NetBSD nameserver.  It's impossible as they have very different
configuration requirements.  Anyone who thinks they can get away with a
pkg_add of BIND-9 and a restart is fooling themselves to the point of
causing harm (to their system).  At the moment a "drop-in" replacment
could only be possible with BIND-8.

-- 
						Greg A. Woods

H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>