BIND 10 #870: private files not private
BIND 10 Development
do-not-reply at isc.org
Tue Jun 7 03:55:30 UTC 2011
#870: private files not private
-------------------------------------+-------------------------------------
Reporter: jreed | Owner:
Type: | Status: new
defect | Milestone:
Priority: major | Sprint-20110614
Component: | Resolution:
Unclassified | Sensitive: 1
Keywords: | Sub-Project: DNS
Defect Severity: Very | Estimated Difficulty: 3.0
High | Total Hours: 0
Feature Depending on Ticket: |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
How about the attached diff?
(I'm moving this ticket to the review queue).
I'm not really sure which permission is the best one. I suspect in
many systems there's a "bind" group and we'd allow that group to
read/write these files. For now I chose the permission of "640".
I didn't think the additional suggested check in the cmdctl daemon
makes much sense so I didn't touch it. Even if the file permission is
okay at the invocation time, if it's changed later time it's dangerous
anyway unless the daemon follows any subsequent changes in real time.
Suggested changelog entry:
{{{
250. [bug]* jinmei
Make sure bindctl private files are non readable to anyone except
the owner or users in the same group. Note that if BIND 10 is run
with changing the user, this change means that the file owner or
group will have to be adjusted. Also note that this change is
only effective for a fresh install; if there already exist these
files, the permission of the files must be adjusted by hand (if
necessary).
(Trac870, git TBD)
}}}
--
Ticket URL: <http://bind10.isc.org/ticket/870#comment:3>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list