On Sun, Dec 02, 2012 at 10:14:43PM +0100, Ond??ej Surý wrote:
> On Sun, Dec 2, 2012 at 3:30 PM, Paul Witt <[email protected]> wrote:
> > Package: bind9
> > Version: 1:9.7.3.dfsg-1~squeeze8
> > Severity: normal
> >
> >
> > After a recent bind9 security upgrade (and probably after previous
> > upgrades too), our config management system reported that
> > /etc/bind/named.conf.local had had its group owner changed from
> > the one we'd configured to the group "bind". Presumably it was
> > the package upgrade that caused this.
>
> I have just tried the upgrade in clean pbuilder and the changed
> permissions were kept during the upgrade.
>
> The chgrp happens only on a condition where rndc.key has root as an
> owner (which I presume is to detect first installation) and only in
> that case the inital permissions are setup. See the snipet from
> postinst script:
>
> uid=$(ls -ln /etc/bind/rndc.key | awk '{print $3}')
> if [ "$uid" = "0" ]; then
> [ -n "$localconf" ] || chown bind /etc/bind/rndc.key
> chgrp bind /etc/bind
> chmod g+s /etc/bind
> chgrp bind /etc/bind/rndc.key /var/run/named /var/cache/bind
> chgrp bind /etc/bind/named.conf* || true
> chmod g+r /etc/bind/rndc.key /etc/bind/named.conf* || true
> chmod g+rwx /var/run/named /var/cache/bind
> fi
>
> Is there a change that your rndc key was owned by the root user?
Yes, it is owned by the root user. Since we have managed configuration
files for bind, $localconf will be "y", so the "chown bind
/etc/bind/rndc.key" won't get executed.
Because we don't start the service until the package is installed and
the config files are all in place, we don't put an ordering constraint
on whether the config files or the package gets installed first. So
it's likely that the config files were already in place the first
time that the postct was run. The logic in the script then ensures
that /etc/bind/rndc.key is never chown'd, and that all the other
changes are made repeatedly.
Perhaps that whole block could be wrapped in a localconf check something
like:
if [ "$uid" = "0" ]; then
if ! [ "$localconf" ] ; then
chown bind /etc/bind/rndc.key
chgrp bind /etc/bind
chmod g+s /etc/bind
chgrp bind /etc/bind/rndc.key /var/run/named /var/cache/bind
chgrp bind /etc/bind/named.conf* || true
chmod g+r /etc/bind/rndc.key /etc/bind/named.conf* || true
chmod g+rwx /var/run/named /var/cache/bind
fi
fi
In any case there definitely seems to be a bug with the current postinst
in the case of a sysadmin installing [some of] the config files before
they install the package.
cheers, Paul.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
