Ubuntu
maas package

named.conf.rndc.maas is insecure by default

Bug #1066935 reported by Zygmunt Krynicki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas (Ubuntu)
Fix Released
Critical
Raphaël Badin

Bug Description

After default installation the following permissions are applied:

-rw-r--r-- 1 maas root 193 Oct 15 14:37 /etc/bind/maas/named.conf.rndc.maas

This makes the bind communication key readable to all users of the system

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: maas-dns 0.1+bzr1264+dfsg-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-17.28-generic 3.5.5
Uname: Linux 3.5.0-17-generic i686
ApportVersion: 2.6.1-0ubuntu3
Architecture: i386
Date: Mon Oct 15 17:10:58 2012
InstallationMedia: Ubuntu-Server 12.10 "Quantal Quetzal" - Release i386 (20121014)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: maas
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~zyga/maas/fix-1066935
Raphaël Badin (community): Disapprove
Zygmunt Krynicki (community): Needs Information
Martin Packman (community): Approve
Diff: 30 lines (+9/-0)
2 files modified
src/provisioningserver/dns/config.py (+1/-0)
src/provisioningserver/dns/tests/test_config.py (+8/-0)
lp:~rvb/maas/packaging.bug-1066935
Julian Edwards (community): Approve
Andres Rodriguez: Pending requested
Diff: 40 lines (+9/-3)
2 files modified
debian/changelog (+3/-1)
debian/maas-dns.postinst (+6/-2)
Julian Edwards (community): Approve
Andres Rodriguez: Pending requested
Diff: 40 lines (+9/-3)
2 files modified
debian/changelog (+3/-1)
debian/maas-dns.postinst (+6/-2)
lp:ubuntu/raring-proposed/maas
Revision history for this message
Zygmunt Krynicki (zyga) wrote :
Revision history for this message
Raphaël Badin (rvb) wrote :

setup_rndc() (in src/provisioningserver/dns/config.py) should be fixed to write the file with the appropriate permissions.

affects: maas (Ubuntu) → maas
Changed in maas:
importance: Undecided → High
status: New → Triaged
Francis J. Lacoste (flacoste)
Changed in maas:
milestone: none → 12.10
Revision history for this message
Raphaël Badin (rvb) wrote :

In fact, that file needs to be readable by bind (which runs as the user 'bind') so we can't change the permissions to 0600. The proper fix would probably involve making it solely group-readable and have it in the 'bind' group... but is that something that can be done easily?

Revision history for this message
Julian Edwards (julian-edwards) wrote :

We should use the atomic_write script which has sudo permissions, and chgrp it to bind and make the file 0640

Changed in maas:
importance: High → Critical
Francis J. Lacoste (flacoste)
Changed in maas:
milestone: 12.10 → 12.10-stabilization
Revision history for this message
Raphaël Badin (rvb) wrote :

It's even more simple: this file is created by the set_up_dns command which is run in debian/maas-dns.postinst.

Changed in maas:
assignee: nobody → Raphaël Badin (rvb)
status: Triaged → In Progress
Revision history for this message
Raphaël Badin (rvb) wrote :

The file permissions are actually handled in the package. Reassigning this bug.

affects: maas → maas (Ubuntu)
Changed in maas (Ubuntu):
assignee: Raphaël Badin (rvb) → nobody
milestone: 12.10-stabilization → none
assignee: nobody → Raphaël Badin (rvb)
Raphaël Badin (rvb)
Changed in maas (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.