5158147 2000-06-04 03:41 /42 rader/ Postmaster
Mottagare: Bugtraq (import) <11137>
Ärende: bind running as root in Mandrake 7.0
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: nico@linuxserver.it-xchange.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006031555490.8877-100000@linuxserver.it-xchange.com>
Date: Sat, 3 Jun 2000 16:03:51 +0200
Reply-To: Nicolas MONNET <nico@MONNET.TO>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Nicolas MONNET <nico@MONNET.TO>
To: BUGTRAQ@SECURITYFOCUS.COM
bind is run as user / group 'root' in Mandrake 7.0, and probably in
Redhat6.x as well. This is a surprising (if not stupid) setting given
the fact that sploits exist that easily break out of any chroot jail
in such a case; and that switching users is as easy as adding an
option to named. Esp. given the infuriatingly poor security track
record of named ...
Indeed, here's a simple patch against /etc/rc.d/init.d/named that I
strongly suggest applying. It does'nt seem to cause any problem for
me.
*** named.orig Sat Jun 3 15:55:00 2000
--- named Fri Jun 2 22:04:10 2000
***************
*** 28,34 ****
start)
# Start daemons.
echo -n "Starting named: "
! daemon named
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
--- 28,34 ----
start)
# Start daemons.
echo -n "Starting named: "
! daemon named -u nobody -g nogroup
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
(5158147) ------------------------------------------(Ombruten)
5161557 2000-06-05 03:11 /35 rader/ Postmaster
Mottagare: Bugtraq (import) <11144>
Ärende: Re: bind running as root in Mandrake 7.0
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en, ja
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3939B689.54DA9229@mindspring.com>
Date: Sat, 3 Jun 2000 20:53:13 -0500
Reply-To: Brock Sides <philarete@MINDSPRING.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Brock Sides <philarete@MINDSPRING.COM>
X-To: Nicolas MONNET <nico@MONNET.TO>
To: BUGTRAQ@SECURITYFOCUS.COM
Nicolas MONNET wrote:
> bind is run as user / group 'root' in Mandrake 7.0, and probably in
> Redhat6.x as well. This is a surprising (if not stupid) setting given the
> fact that sploits exist that easily break out of any chroot jail in such a
> case; and that switching users is as easy as adding an option to
> named. Esp. given the infuriatingly poor security track record of named
> ...
>
> Indeed, here's a simple patch against /etc/rc.d/init.d/named that I
> strongly suggest applying. It does'nt seem to cause any problem for me.
RedHat 6.2 runs BIND as user/group "named", IIRC.
Your patch will break things if you're running a slave nameserver,
unless you also chown /var/named (or wherever you're keeping your
automatically generated zone files) to the user you're running named
as.
Brock Sides
philarete@mindspring.com
(5161557) ------------------------------------------(Ombruten)
5161825 2000-06-05 05:01 /71 rader/ Postmaster
Mottagare: Bugtraq (import) <11160>
Ärende: Linux-Mandrake bind update.
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.6
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <m2ya4l4eed.fsf@vador.mandrakesoft.com>
Date: Sun, 4 Jun 2000 18:08:58 +0200
Reply-To: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
-------------------------------------
Linux-Mandrake Security Update
-------------------------------------
Package: bind
Affected versions: 6.1 7.0
Problem: By default bind is launched as user and group root. This
setting can give the possibility to easily exploit vulnerabities in
bind. Thanks to Nicolas MONNET <nico at MONNET.TO> for his
contribution.
Please upgrade to:
md5sum: 185c51a554cd1c2fedf42f002ba8f01f
package: 6.1/RPMS/bind-8.2.2P5-6mdk.i586.rpm
md5sum: 39757dd3b1157685a486fc2c7afe2855
package:6.1/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
md5sum: 507e45161ec6f9cbfb17dcf06d0831f0
package:6.1/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
md5sum: eeffc6a7d2c7813931a2bbcb8da05a79
source: 6.1/SRPMS/bind-8.2.2P5-6mdk.src.rpm
md5sum: 95ccd87693c8e3c870f1bccd2842489b
package:7.0/RPMS/bind-8.2.2P5-6mdk.i586.rpm
md5sum: 31a1b33c3cf2013ea14ac1d0432a2785
package:7.0/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
md5sum: ce92d5be31c4675e5ec21e4a76815633
package:7.0/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
md5sum: eeffc6a7d2c7813931a2bbcb8da05a79
source: 7.0/SRPMS/bind-8.2.2P5-6mdk.src.rpm
To upgrade automatically, use « MandrakeUpdate ». If you want to
upgrade manually, download the updated package from one of our FTP
server mirrors and uprade with "rpm -Uvh package_name". All mirrors
are listed on http://www.mandrake.com/en/ftp.php3 Updated packages are
available in the "updates/" directory.
For example, if you are looking for an updated RPM package for
Mandrake 7.0, look for it in: updates/7.0/RPMS/
Note: we give the md5 sum for each package. It lets you check the
integrity of the downloaded package by running the md5sum command on
the package ("md5sum package.rpm").
--
MandrakeSoft Inc http://www.mandrakesoft.com
In travel. --Chmouel
(5161825) ------------------------------------------
Kommentar i text 5161829