20 Zář
2019
20 Zář
'19
12:24
Hello Knot resolver folks, and especially the packagers,
I've noticed that the CentOS 7 packages published by CZNIC ship with
/etc/knot-resolver writable by the "knot-res" user (the directory mode
is 0775).
It seems that the directory is writable, because kresd (running as user
knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file.
My sysadmin mind is suspicious of this setup. If any other modules of
kresd have a bug, they have the potential to modify config files in
/etc/knot-resolver. My thinking is that the root.keys file should be
installed in /var/cache/knot-resolver, and that is writable by "knot-res".
Could someone please explain to me why the config directory is writable
by an unprivileged user? Is there a good reason I'm not seeing for this
setup?
Regards,
Anand Buddhdev
20 Zář
20 Zář
13:36
On 20/09/2019 12.24, Anand Buddhdev wrote:
Hello Knot resolver folks, and especially the
packagers,
I've noticed that the CentOS 7 packages published by CZNIC ship with
/etc/knot-resolver writable by the "knot-res" user (the directory mode
is 0775).
It seems that the directory is writable, because kresd (running as user
knot-res) runs a lua script to manage the /etc/knot-resolver/root.keys file.
My sysadmin mind is suspicious of this setup. If any other modules of
kresd have a bug, they have the potential to modify config files in
/etc/knot-resolver. My thinking is that the root.keys file should be
installed in /var/cache/knot-resolver, and that is writable by "knot-res".
Could someone please explain to me why the config directory is writable
by an unprivileged user? Is there a good reason I'm not seeing for this
setup?
Hi,
the reason for 0775 permission on /etc/knot-resolver is the root.keys
file, as you mentioned.
The /etc/knot-resolver/kresd.conf is only writable by root (0644), as
well as other files kresd uses in /etc/knot-resolver/ directory,
therefore I don't believe this is an issue from security point of view.
However, I agree with you it'd be better to restrict the permissions of
the config directory. I've created an issue [1] for it. We'll look into
it in future releases.
[1] - https://gitlab.labs.nic.cz/knot/knot-resolver/issues/513
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
13:45
On 20/09/2019 13.36, Tomas Krizek wrote:
The /etc/knot-resolver/kresd.conf is only writable by
root (0644), as
well as other files kresd uses in /etc/knot-resolver/ directory,
therefore I don't believe this is an issue from security point of view.
Turns out this is incorrect, since you can actually delete the file and
re-create it with other permissions. That's an oversight on my part. In
any case, we'll fix it.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
14:06
On 20/09/2019 13:36, Tomas Krizek wrote:
Hi Tomas,
The /etc/knot-resolver/kresd.conf is only writable by
root (0644), as
well as other files kresd uses in /etc/knot-resolver/ directory,
therefore I don't believe this is an issue from security point of view.
The 0644 mode on kresd.conf is pointless, because the "knot-res" user
can *delete* the kresd.conf file, and then create a new one in its place.
In the meantime, if I want to move the root.keys file somewhere else, am
I right in assuming that I need to add this to the config?
trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
Alternatively, am I right in assuming that I can disable RFC 5011 trust
anchor tracking with:
trust_anchors.add_file('root.keys', readonly=true)
However, I agree with you it'd be better to
restrict the permissions of
the config directory. I've created an issue [1] for it. We'll look into
it in future releases.
[1] - https://gitlab.labs.nic.cz/knot/knot-resolver/issues/513
Thanks!
Regards,
Anand
15:52
On 20/09/2019 14.06, Anand Buddhdev wrote:
In the meantime, if I want to move the root.keys file
somewhere else, am
I right in assuming that I need to add this to the config?
trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
Correct. Just make sure to move the root.keys file to that location,
since bootstrap won't happen in this case. The default keyfile path was
baked-in at compile time, so kresd attempts to use that in case the
provided path doesn't exists. If the file is found, however, it will be
used and auto-managed with RFC 5011.
I'd also recommend using a different location, such as
/var/lib/knot-resolver to avoid any future issues in case you'd manually
delete the entire cache directory for some reason.
Alternatively, am I right in assuming that I can
disable RFC 5011 trust
anchor tracking with:
trust_anchors.add_file('root.keys', readonly=true)
You disable RFC 5011 with:
trust_anchors.add_file('/etc/knot-resolver/root.keys', true)
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
1920
days inactive
1920
days old
knot-resolver-users@lists.nic.cz
4 comments
2 participants
participants (2)
-
Anand Buddhdev -
Tomas Krizek