https://bugzilla.novell.com/show_bug.cgi?id=740327
https://bugzilla.novell.com/show_bug.cgi?id=740327#c0
Summary: usr.sbin.named profile too permissive
Classification: openSUSE
Product: openSUSE 12.2
Version: Factory
Platform: Other
OS/Version: All
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: ug@suse.com
ReportedBy: suse-beta@cboltz.de
QAContact: qa@suse.de
Found By: Beta-Customer
Blocker: ---
(bugreport based on bug 731572 comment 1 and the latest bind package from the
network repo)
The usr.sbin.named profile is too permissive.
Several rules seem to have their history in the times when AppArmor handled the
paths relative to the chroot. Since some years, the paths in the profiles are
handled relative to the "real" root directory (for named, this means / in the
chroot is /var/lib/named/ in the profile).
There are also some other details, please see the inline comments below.
/usr/sbin/named {
#include
#include
#include
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
/** r, # leftover from the times when AppArmor paths were relative to the
chroot? I doubt it's needed nowadays. "/var/lib/named/** r" should be enough.
/dyn/** rwl, # see above - should probably be /var/lib/named/dyn/**
/usr/bin/dnskeygen mix,
/usr/bin/dnsquery mix,
/usr/sbin/named rmix,
/usr/sbin/named-xfer mix,
/var/lib/named/** rwl, # this rule is very broad and makes the profile
insecure (for example, an attacker could upload and use his own libs, aka
"remove code execution", if he finds a vulnerability). Does bind really need
write permissions for all those files? changing this rule to "r" only and
adding "rwl" rules for specific subdirs would be much more secure.
/var/named/** rwl, # does this directory exist? It doesn't look too FHS
compliant ;-)
/var/run/named.pid wl,
/var/run/named/named.pid wl,
/var/run/ndc wl,
/slave/* rw, # should probably be /var/lib/named/slave/*
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab r, # I have no idea what xad is.
Nevertheless - is this something that should be in abstractions/xad?
/var/tmp/DNS_* rw, # add "owner" keyword?
/tmp/DNS_* rw, # add "owner" keyword?
/var/lib/named/lib64/** mrlpx, # this and the next rule are too permissive
-the "remote code execution" note above applies. Please revert the changes from
bug 716745 and show me the audit.log lines that you get, and I'll give you a
working _and_ secure rule ;-) See also bug 716745 comment 28. Oh, and (if you
really need the px part, which would be surprising for a library, you should
use Px to cleanup the environment variables.
/var/lib/named/lib/** mrlpx, # see above, and BTW: you can use "lib{,64}" to
combine both rules
}
I can (and will) help you with the AppArmor part, but my knownledge of named is
very limited. The good thing (for you) is that audit.log entries look the same
for many programs ;-)
If you are willing to invest some time to make the profile secure, I can write
a "probably-working" profile based on my comments above - but I'll need you to
test and finetune it.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
