Patch for the 8.2.2-P5 Unix-domain socket problem
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Sat Sep 16 22:52:28 UTC 2000
Take a look at the BIND 8.2.3-T7B.
Mark
> The following patch will correct the security problem associated with
> the Unix-domain control socket under Solaris and other similar operating
> systems. It does this by applying the file permission settings to the
> directory containing the socket file as well as to the socket itself.
> It will also create the directory if it does not exists. It assumes
> that both the pid file and the socket are in this directory.
>
> I define DESTRUN as /var/run/named in port/solaris/Makefile.set and
> let in.named create the directory. This is very convenient under
> recent Solaris versions because /var/run is created at boot time as
> a memory-based filesystem. I also define _PATH_NAMED as /usr/sbin/in.named
> in port/solaris/include/paths.h so that the standard Solaris init script
> will start in.named if I create a dummy /etc/named.boot file.
>
> *** ns_ctl.Oc Wed Oct 13 11:39:04 1999
> --- ns_ctl.c Sat Sep 16 09:27:49 2000
> ***************
> *** 478,483 ****
> --- 478,513 ----
>
> static void
> install_unix(control ctl) {
> + char *pt, tmp_dir[MAXDNAME];
> +
> + /* XXX Secure the directory too */
> + strcpy(tmp_dir, ctl->var.v_unix.un.sun_path);
> + if ((pt = strrchr(tmp_dir, '/')) && pt > tmp_dir) {
> + *pt = '\0';
> + if (mkdir(tmp_dir,
> + ctl->var.v_unix.mode) < 0 && errno != EEXIST) {
> + ns_warning(ns_log_config, "mkdir(\"%s\", 0%03o): %s",
> + tmp_dir,
> + ctl->var.v_unix.mode,
> + strerror(errno));
> + }
> + if (chmod(tmp_dir,
> + ctl->var.v_unix.mode) < 0) {
> + ns_warning(ns_log_config, "chmod(\"%s\", 0%03o): %s",
> + tmp_dir,
> + ctl->var.v_unix.mode,
> + strerror(errno));
> + }
> + if (chown(tmp_dir,
> + ctl->var.v_unix.owner,
> + ctl->var.v_unix.group) < 0) {
> + ns_warning(ns_log_config, "chown(\"%s\", %d, %d): %s",
> + tmp_dir,
> + ctl->var.v_unix.owner,
> + ctl->var.v_unix.group,
> + strerror(errno));
> + }
> + }
> if (ctl->sctx == NULL) {
> unattach(ctl);
> ctl->sctx = mksrvr(ctl,
>
> --
> -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list