managed-keys.bind's directory problem
marka at isc.org
Mon Dec 14 02:47:46 UTC 2009
In message <alpine.BSF.2.00.0912131720060.1623 at qbhto.arg>, Doug Barton writes:
> On Fri, 11 Dec 2009, Mark Andrews wrote:
> > In message <20091210.162242.460114267490885968.fujiwara at pyon.org>, fujiwara
> > e.ad.jp writes:
> >> I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
> >> The named tried to write "managed-keys.bind" file into the named's
> >> working directory.
> >> The current BIND 9 requires the working directory is writable by named
> >> (From ARM). But I think the working directory should not be writable
> >> by named and some OSs' default configuration set the working directory
> >> not writable.
> > Then those OS's are misconfiguring named.
> Or, named is acting in an unsafe way. :) For example, see
> https://lists.isc.org/pipermail/bind-users/2008-August/071912.html for my
> proposal to separate the idea of "working directory" from "configuration
> directory," and some of the reasons why.
> To repeat my primary objection, if the named user can write to the
> configuration directory it can change the contents of named.conf. That's a
> security problem.
"directory" has *always* specified the working directory.
> > This has been a requirement since the BIND 4 days. It's just named has
> > not complained
> Actually it does complain:
> named: the working directory is not writable
> > and there has been loss of functionality as a result.
> I would argue that this really hasn't been the case for FreeBSD, up till
> this point there has been a workaround for all of the functionality that
> users have asked for.
> > On some OS's this is the only way to get a core file for debugging as
> > there is no way to specify anything other than the current working
> > directory.
> Once again, I assert that this is a design flaw in named. Processes should
> not be dumping random stuff into the same directory where their
> configuration files go. It may have been acceptable back in the BIND 4
> days, but it's time to move on.
> > Note there is no requirement for named's config files to be below the
> > working directory.
> This is something that I'll explore. I still prefer the solution to
> separate the idea of config and working directories. Imagine a scenario
> where the configuration stuff is on a read-only partition for example.
Or OS maintainers shouldn't have put configuration files in the
working directory. They were originally seperate. OS maintainers
could have kept them seperate.
> > The working directory does not have to be /var/named.
> In FreeBSD (as in other OSs that I looked at for examples) that's the root
> of the chroot directory structure.
> >> I'm very happy if I can change the managed-keys.bind path.
> > We will look into that.
> That would be good. I would argue that for any new feature configurability
> for its file location(s) should be a requirement.
> Improve the effectiveness of your Internet presence with
> a domain name makeover! http://SupersetSolutions.com/
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users