managed-keys.bind's directory problem

Mark Andrews marka at isc.org
Mon Dec 14 02:47:46 UTC 2009 

In message <alpine.BSF.2.00.0912131720060.1623 at qbhto.arg>, Doug Barton writes:
> On Fri, 11 Dec 2009, Mark Andrews wrote:
> > In message <20091210.162242.460114267490885968.fujiwara at pyon.org>, fujiwara
> @wid
> > e.ad.jp writes:
> >> I'm using BIND 9.7.0b3 an DLV (dns-lookaside auto;).
> >>
> >> The named tried to write "managed-keys.bind" file into the named's
> >> working directory.
> >>
> >> The current BIND 9 requires the working directory is writable by named
> >> (From ARM). But I think the working directory should not be writable
> >> by named and some OSs' default configuration set the working directory
> >> not writable.
> >
> > Then those OS's are misconfiguring named.
> 
> Or, named is acting in an unsafe way. :) For example, see 
> https://lists.isc.org/pipermail/bind-users/2008-August/071912.html for my 
> proposal to separate the idea of "working directory" from "configuration 
> directory," and some of the reasons why.
> 
> To repeat my primary objection, if the named user can write to the 
> configuration directory it can change the contents of named.conf. That's a 
> security problem.

"directory" has *always* specified the working directory.

> > This has been a requirement since the BIND 4 days.  It's just named has 
> > not complained
> 
> Actually it does complain:
> named[970]: the working directory is not writable
>
> > and there has been loss of functionality as a result.
> 
> I would argue that this really hasn't been the case for FreeBSD, up till 
> this point there has been a workaround for all of the functionality that 
> users have asked for.
>
> > On some OS's this is the only way to get a core file for debugging as 
> > there is no way to specify anything other than the current working 
> > directory.
> 
> Once again, I assert that this is a design flaw in named. Processes should 
> not be dumping random stuff into the same directory where their 
> configuration files go. It may have been acceptable back in the BIND 4 
> days, but it's time to move on.
> 
> > Note there is no requirement for named's config files to be below the
> > working directory.
> 
> This is something that I'll explore. I still prefer the solution to 
> separate the idea of config and working directories. Imagine a scenario 
> where the configuration stuff is on a read-only partition for example.

Or OS maintainers shouldn't have put configuration files in the
working directory.  They were originally seperate.  OS maintainers
could have kept them seperate.

> > The working directory does not have to be /var/named.
> 
> In FreeBSD (as in other OSs that I looked at for examples) that's the root 
> of the chroot directory structure.
> 
> >> I'm very happy if I can change the managed-keys.bind path.
> >
> > We will look into that.
> 
> That would be good. I would argue that for any new feature configurability 
> for its file location(s) should be a requirement.
> 
> 
> Doug
> 
> -- 
> 
>  	Improve the effectiveness of your Internet presence with
>  	a domain name makeover!    http://SupersetSolutions.com/
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list