[Secure-testing-team] Bug#513717: startup script chowns files writable by nsd thus making nsd user==root
Michael Tokarev
mjt at tls.msk.ru
Sat Jan 31 16:53:11 UTC 2009
Package: nsd
Version: 2.3.7-1.1
Severity: security
In /etc/init.d/nsd script there's a construct (repeated twice):
[ -n "${nsd_user}" ] && chown "${nsd_user}:" "${dbfile}"
where dbfile defaults to /var/lib/nsd/nsd.db, or in chroot, and
the parent directory of it (/var/lib/nsd) is owned by $nsd_user
(default nsd).
The whole chroot idea is to protect system from someone who managed
to get a way to break into the system utilizing a bug in - in this
case - nsd daemon. Assuming that in worst case, an attacker can
execute arbitrary code on the system as a user running nsd.
Now suppose the attacker changes /var/lib/nsd/nsd.db to be a
symlink to /etc/password. And after the next restart or reload
of nsd, that file's owner will be happily changed to nsd. With
all bad stuff follows it.
I can only guess where this chown come from, in the first place.
But I *think* that proper solution will be to always run
`nsdc rebuild' as that user instead of root. Note that running
it as root so that the result is written into nsd-owned directory
does no good too.
This is, as far as I can see, Debian-specific security bug.
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (990, 'stable'), (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.28-i686smp (SMP w/2 CPU cores)
Shell: /bin/sh linked to /bin/bash
Versions of packages nsd depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
nsd recommends no packages.
nsd suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list