ndc problem

G. Roderick Singleton gsingleton at home.com
Tue Feb 1 01:24:11 UTC 2000 

Barry Margolin wrote:
> 
> In article <38960986.BE07FEC4 at att.com>, Sheng Zhu  <sz at att.com> wrote:
> >Don't know if anyone else have seen this problem, but ndc seems
> >insecure when it allows any user on the local system to kill the named
> >process - no matter whether you have control statement in the config
> >or not. It will not allow any user to start the named process though.
> >
> >The control statementin the named.conf looks like this:
> >     control { unix "/etc/ndc" perm 0600 owner 0 group 0; };
> >and the ndc socket seems created with correct permission when named
> >is started by root:
> >     srw-------    1    root    root        0    Jan 31 21:31
> >/etc/ndc
> >
> >This ndc behavior was observed on a Sun Ultra system running Solaris
> >2.6 patched at 105181_15. The bind source code is 8.2.2-P5 compiled
> >on the same system with Sun Spro CC 4.2. Any comments or help will
> >be appreciated. Thanks,
> 
> I think the problem may be that Solaris doesn't implement access control on
> Unix-domain sockets, so the permissions have no effect.  The solution is to
> put the socket in a directory that only root has execute permission to,
> e.g.
> 
> mkdir /etc/ndcdir
> chmod 700 /etc/ndcdir
> 
> Rebuild named and ndc with DESTRUN configured to /etc/ndcdir.
> 
> --
> Barry Margolin, barmar at bbnplanet.com
> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


Good idea.  Does someone have to submit a bug report to get this
integrated in the Makefil.set.sun?

-- 
________________________________________________________________________________
G. Roderick Singleton, <gsingleton at home.com> PATH tech,
71 Underhill Drive, Unit 159, Toronto, ON  M3A 2J8
Voice : 416-452-4583 Fax: 416-452-0036 Toll Free: 1-888-354-PATH
________________________________________________________________________________

*** Notice To Bulk Emailers: Attention!  Pursuant to US Code, Title 47,
Chapter 5, Subchapter II, 227, any & all unsolicited commercial e-mail
sent to this address is subject to a download and archival fee in the
amount of the $1500 US and copies will be forwarded to domain
administrators.  Emailing denotes acceptance of said terms!

More information about the bind-users mailing list