[Secure-testing-team] Bug#500707: Does not run as the maradns user/group

[Matthijs Kooijman]

Package: maradns
Version: 1.3.07.08-1
Severity: important
Tags: security

Hi,

I noticed that maradns does not properly update it's configuration to
run as the user "maradns". This results in the default configuration
remaining active, which is running as uid 65534 and gid 99. The former
should be the user "nobody" on all Debian systems AFAIK, but I think the
latter is usually not a valid user.

Running maradns with these credentials consitutes a security problem,
however, I do not think this is directly exploitable. Hence, I'm marking
this as important.

There is code in the postinst script to take care of this. The code is
supposed to change the uid/gid config directives to the uid and gid of
the "maradns" user and group, also created by the postinst script.

However, this only happens when postinst is called with the "install"
argument, which never happens according to the Policy Manual [1]. The
"install" argument is only passed to the preinst script, AFAICS.

I can reproduce this problem on two seperate systems, one running sid
and one running lenny. I hope a fixed version can still be included in
lenny.

Gr.

Matthijs

[1]: http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27-rc2-wl-35635-gf8895ad (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages maradns depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.7-13     GNU C Library: Shared libraries

maradns recommends no packages.

maradns suggests no packages.

-- no debconf information