ndc problem

[Jim Reid]

>>>>> "Sheng" == Sheng Zhu <sz at att.com> writes:

    Sheng> Don't know if anyone else have seen this problem, but ndc
    Sheng> seems insecure when it allows any user on the local system
    Sheng> to kill the named process - no matter whether you have
    Sheng> control statement in the config or not. It will not allow
    Sheng> any user to start the named process though.

    Sheng> This ndc behavior was observed on a Sun Ultra system
    Sheng> running Solaris 2.6 patched at 105181_15. 

This is a bug in Solaris, so complain to Mr. Sun. There is a comment
about this bug at the top of the README file in BIND8.2.2P5:

SECURITY NOTE:

    Solaris and other pre-4.4BSD kernels do not respect ownership or
    protections on UNIX-domain sockets.  This means that the default
    path for the NDC control socket (/var/run/ndc) is such that any
    user (root or other) on such systems can issue any NDC command
    except "start" and "restart".  The short term fix for this is to
    override the default path and put such control sockets into root-
    owned directories which do not permit non-root to r/w/x through them.
    The medium term fix is for BIND to enforce this requirement internally.
    The long term fix is for all kernels to upgrade to 4.4BSD semantics.