Patch for the 8.2.2-P5 Unix-domain socket problem

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Sat Sep 16 22:52:28 UTC 2000 

	Take a look at the BIND 8.2.3-T7B.

	Mark

> The following patch will correct the security problem associated with
> the Unix-domain control socket under Solaris and other similar operating
> systems.  It does this by applying the file permission settings to the
> directory containing the socket file as well as to the socket itself.
> It will also create the directory if it does not exists.  It assumes
> that both the pid file and the socket are in this directory.
> 
> I define DESTRUN as /var/run/named in port/solaris/Makefile.set and
> let in.named create the directory.  This is very convenient under
> recent Solaris versions because /var/run is created at boot time as
> a memory-based filesystem.  I also define _PATH_NAMED as /usr/sbin/in.named
> in port/solaris/include/paths.h so that the standard Solaris init script
> will start in.named if I create a dummy /etc/named.boot file.
> 
> *** ns_ctl.Oc	Wed Oct 13 11:39:04 1999
> --- ns_ctl.c	Sat Sep 16 09:27:49 2000
> ***************
> *** 478,483 ****
> --- 478,513 ----
>   
>   static void
>   install_unix(control ctl) {
> +     char	*pt, tmp_dir[MAXDNAME];
> + 
> +     /* XXX Secure the directory too */
> +     strcpy(tmp_dir, ctl->var.v_unix.un.sun_path);
> +     if ((pt = strrchr(tmp_dir, '/')) && pt > tmp_dir) {
> + 	*pt = '\0';
> + 	if (mkdir(tmp_dir,
> + 		  ctl->var.v_unix.mode) < 0 && errno != EEXIST) {
> + 	    ns_warning(ns_log_config, "mkdir(\"%s\", 0%03o): %s",
> + 		       tmp_dir,
> + 		       ctl->var.v_unix.mode,
> + 		       strerror(errno));
> + 	}
> + 	if (chmod(tmp_dir,
> + 		  ctl->var.v_unix.mode) < 0) {
> + 	    ns_warning(ns_log_config, "chmod(\"%s\", 0%03o): %s",
> + 		       tmp_dir,
> + 		       ctl->var.v_unix.mode,
> + 		       strerror(errno));
> + 	}
> + 	if (chown(tmp_dir,
> + 		  ctl->var.v_unix.owner,
> + 		  ctl->var.v_unix.group) < 0) {
> + 	    ns_warning(ns_log_config, "chown(\"%s\", %d, %d): %s",
> + 		       tmp_dir,
> + 		       ctl->var.v_unix.owner,
> + 		       ctl->var.v_unix.group,
> + 		       strerror(errno));
> + 	}
> +     }
>   	if (ctl->sctx == NULL) {
>   		unattach(ctl);
>   		ctl->sctx = mksrvr(ctl,
> 
> -- 
> -Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list