20 Zář
2019
20 Zář
'19
13:36
On 20/09/2019 12.24, Anand Buddhdev wrote:
Hello Knot resolver folks, and especially the
packagers,
I've noticed that the CentOS 7 packages published by CZNIC ship with
/etc/knot-resolver writable by the "knot-res" user (the directory mode
is 0775).
It seems that the directory is writable, because kresd (running as user
knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file.
My sysadmin mind is suspicious of this setup. If any other modules of
kresd have a bug, they have the potential to modify config files in
/etc/knot-resolver. My thinking is that the root.keys file should be
installed in /var/cache/knot-resolver, and that is writable by "knot-res".
Could someone please explain to me why the config directory is writable
by an unprivileged user? Is there a good reason I'm not seeing for this
setup?
Hi,
the reason for 0775 permission on /etc/knot-resolver is the root.keys
file, as you mentioned.
The /etc/knot-resolver/kresd.conf is only writable by root (0644), as
well as other files kresd uses in /etc/knot-resolver/ directory,
therefore I don't believe this is an issue from security point of view.
However, I agree with you it'd be better to restrict the permissions of
the config directory. I've created an issue [1] for it. We'll look into
it in future releases.
[1] - https://gitlab.labs.nic.cz/knot/knot-resolver/issues/513
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869