http://bugzilla.novell.com/show_bug.cgi?id=540966 User suse@tlinx.org added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c2 L. A. Walsh <suse@tlinx.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |security_vulnerability, | |Systemic Priority|P5 - None |P3 - Medium CC| |suse@tlinx.org AssignedTo|pbaudis@novell.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #2 from L. A. Walsh <suse@tlinx.org> 2009-10-09 13:05:59 PDT --- I have nscd running as user.group=nscd.nscd on my system. Also note -- I would be filing this against 11.1, as that is what I am running. But it is, apparently still a problem in 11.2. Adding keywords 'security_vulnerability' even though it is somewhat minor -- it's a violation of good practice to run multiple daemons as 'nobody.nobody'. It's also a 'Systemic' problem (occurs with other daemons). Request: Please , during install, create a small script to find next location in 'system' allocation block where uid=gid='free', and create them both with the same number. It makes for later accounting/tracking MUCH simpler. :-) Attaching my /etc/nscd.conf -- but it is nothing special -- the main things to note are 1) I have server-user = nscd 2) I have the log-dir in a subdir. Not noted in the nscd.conf (but noted below), the 'run' file is also in its own subdir under /var/run -- also owned by nscd.nscd, that way nscd can happily create and delete it's run and log files as an unprivileged user. Such a happy little camper! I also, BTW, set 'stat-user' = to a local, unpriviledged user that I usually login with so I could 'stat' nscd without having to "sudo to root" -- this could be a security 'bonus' (not needing root to 'stat' nscd'), or a security 'hole', (an unpriviledged user being able to stat nscd). Can't really see it the downside, so it's more likely a bonus than a 'hole'..:-) the rc and conf scripts require 1) user.group == nscd.nscd be created by install 2) NOTE install script must not use -u optionn to startproc, or nscd will exit with failure (won't be able to switch itself to 'nscd and it's associated groups) 3) default perms on /var/run/nscd/socket, need to be set to /var/run/nscd/ nscd:nscd 755 /var/run/nscd/socket nscd:nscd 666 ***** ****NOTE **** -- this "invalidates" the comment in the 'rc-script' in line 75 and **** eliminates the need for the 'rm following it: ------------- 72 stop) 73 echo -n "Shutting down Name Service Cache Daemon" 74 /sbin/killproc -p $NSCD_PID -TERM $NSCD_BIN 75 # if nscd does not run as root, it cannot remove this files: 76 rm -f /var/run/nscd/socket $NSCD_PID 77 rc_status -v 78 ;; ------------- It's currently set to be owned by root. /etc/permissions{X} changes: (Using bits rwx=421 (in case my memory is faulty, documenting my assumption): for ugo:) 3) /etc/permissions should have: (allow all read/write access - normal) /var/run/nscd set to nscd:nscd 3755 /var/run/nscd/socket to nscd:nscd 666 4) /etc/permissions.secure to /var/run/nscd/ set to nscd:nscd 3751 /var/run/ncsd/socket to nscd:nscd 666 (Requires users be in group nscd to read dir contents but others would still be able to use nscd). 5) /etc/permissions.paranoid to: /var/run/nscd/ set to nscd:nscd 3710 /var/run/ncsd/socket to nscd:nscd 660 (no one can see contents of dir except root & user nscd; ONLY users in group nscd dir can use the nscd caching daemon) - others get whatever other defaults are configured in /etc/nsswitch... NOTE: I haven't tested the 'secure' or 'paranoid' settings -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.