Bug 255148 - [patch] dns/bind911: %%ETCDIR%%/master should be owned by (bind,bind,)
Summary: [patch] dns/bind911: %%ETCDIR%%/master should be owned by (bind,bind,)
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mathieu Arnold
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-17 09:02 UTC by Helge Oldach
Modified: 2021-04-26 11:57 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (mat)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Helge Oldach 2021-04-17 09:02:53 UTC
When running DNSSEC auto validation, named requires write access to %%ETCDIR%%/master in order to create -signed, .jbk, and .jnl files. Per pkg-plist however, this directory is owned by root:wheel, unlike %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working which are explicitly owned by (bind,bind,). This breaks auto validation.

Worse, the (root,wheel,) ownership of %%ETCDIR%%/master is restored upon every update unfortunately.

Therefore I suggest to align all created subdirectories:

diff --git a/dns/bind911/pkg-plist b/dns/bind911/pkg-plist
index 86422256566d..de6b48f6175c 100644
--- a/dns/bind911/pkg-plist
+++ b/dns/bind911/pkg-plist
@@ -397,6 +397,6 @@ sbin/rndc
 sbin/rndc-confgen
 sbin/tsig-keygen
 @dir(bind,bind,) %%ETCDIR%%/dynamic
-@dir %%ETCDIR%%/master
+@dir(bind,bind,) %%ETCDIR%%/master
 @dir(bind,bind,) %%ETCDIR%%/slave
 @dir(bind,bind,) %%ETCDIR%%/working

dns/bind916 is not affected as it does not create a %%ETCDIR%%/master directory but just %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working. I have no idea why it's different though.
Comment 1 Helge Oldach 2021-04-17 09:15:01 UTC
Alternatively, @dir %%ETCDIR%%/master can be removed from pkg-plist as it's auto created by installing %%ETCDIR%%/master/empty.db. That should also leave user modified ownership intact.
Comment 2 Mathieu Arnold freebsd_committer 2021-04-26 09:58:21 UTC
The idea is that the master directory is not modifiable by named, so that in case of a securty issue, the zones cannot be modified.

If you want to use the master directory for your zones, and need a journal, use the <journal "journalfile"> directive in the configuration file to put the journal in a directory that can be written by named, like the "working" directory.
Comment 3 Helge Oldach 2021-04-26 11:57:18 UTC
(In reply to Mathieu Arnold from comment #2)
This argument is untrue for .signed files as they are created in namedb/master and cannot be moved elsewhere. For inline-signed DNSSEC, this is a POLA violation as it may render zones unsigned after restart.

Please also see https://forums.freebsd.org/threads/bind-permissions-for-inline-signing-dnssec.72840/ (No, that guy wasn't me.)