ndc socket permissions, Solaris 2.6
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Mon Jul 24 03:14:44 UTC 2000
It looks like you haven't read the file called "README" and
the "SECURITY NOTE" in there.
BIND 8.2.3 creates a seperate directory to hold the socket.
Mark
> I seem to be able to issue commands to named via ndc as an
> unprivileged user, even though the socket permissions appear to deny
> this explicitly. Anyone else seen this?
>
> Server is a Netra t1, Solaris 2.6 Generic_105181-21. BIND 8.2.2p5
> lives in /opt. Bare-bones named.conf (no "acl" or "controls" blocks).
> named is running as root. Neither named nor ndc are setuid root. On
> a FreeBSD server, you get the expected "ndc: error: ctl_client:
> evConnect(fd 3): Permission denied" if you try to connect to the
> control socket as an unprivileged user.
>
> % id -a
> uid=10070(taob) gid=14(sysadmin) groups=14(sysadmin)
>
> % ps -ef | fgrep named
> root 371 1 0 21:08:14 ? 0:00 /opt/sbin/named
>
> % ls -l /opt/etc/ndc /opt/sbin/ndc
> srw------- 1 root root 0 Jul 23 21:08 /opt/etc/ndc
> -rwxr-xr-x 1 root root 46912 Jun 4 09:44 /opt/sbin/ndc
>
> % /opt/sbin/ndc status
> named 8.2.2-P5 Sun Jun 4 09:45:06 EDT 2000 taob at tor-dev1:/depot/src/ofs/bind
> -8.2.2p5/src/bin/named
> number of zones allocated: 64
> debug level: 0
> xfers running: 0
> xfers deferred: 0
> soa queries in progress: 0
> query logging is OFF
> server is DONE priming
> server IS NOT loading its configuration
>
> % /opt/sbin/ndc stop
> Shutdown initiated.
>
> % ls -l /opt/etc/ndc
> /opt/etc/ndc: No such file or directory
>
> % ps -ef | fgrep named
> %
>
> --
> Brian Tao (BT300, taob at risc.org)
> "Though this be madness, yet there is method in't"
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list