[Bug 740327] New: usr.sbin.named profile too permissive
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c0 Summary: usr.sbin.named profile too permissive Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: All Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: ug@suse.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer Blocker: --- (bugreport based on bug 731572 comment 1 and the latest bind package from the network repo) The usr.sbin.named profile is too permissive. Several rules seem to have their history in the times when AppArmor handled the paths relative to the chroot. Since some years, the paths in the profiles are handled relative to the "real" root directory (for named, this means / in the chroot is /var/lib/named/ in the profile). There are also some other details, please see the inline comments below. /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/xad> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /** r, # leftover from the times when AppArmor paths were relative to the chroot? I doubt it's needed nowadays. "/var/lib/named/** r" should be enough. /dyn/** rwl, # see above - should probably be /var/lib/named/dyn/** /usr/bin/dnskeygen mix, /usr/bin/dnsquery mix, /usr/sbin/named rmix, /usr/sbin/named-xfer mix, /var/lib/named/** rwl, # this rule is very broad and makes the profile insecure (for example, an attacker could upload and use his own libs, aka "remove code execution", if he finds a vulnerability). Does bind really need write permissions for all those files? changing this rule to "r" only and adding "rwl" rules for specific subdirs would be much more secure. /var/named/** rwl, # does this directory exist? It doesn't look too FHS compliant ;-) /var/run/named.pid wl, /var/run/named/named.pid wl, /var/run/ndc wl, /slave/* rw, # should probably be /var/lib/named/slave/* /var/opt/novell/xad/ds/krb5kdc/krb5.keytab r, # I have no idea what xad is. Nevertheless - is this something that should be in abstractions/xad? /var/tmp/DNS_* rw, # add "owner" keyword? /tmp/DNS_* rw, # add "owner" keyword? /var/lib/named/lib64/** mrlpx, # this and the next rule are too permissive -the "remote code execution" note above applies. Please revert the changes from bug 716745 and show me the audit.log lines that you get, and I'll give you a working _and_ secure rule ;-) See also bug 716745 comment 28. Oh, and (if you really need the px part, which would be surprising for a library, you should use Px to cleanup the environment variables. /var/lib/named/lib/** mrlpx, # see above, and BTW: you can use "lib{,64}" to combine both rules } I can (and will) help you with the AppArmor part, but my knownledge of named is very limited. The good thing (for you) is that audit.log entries look the same for many programs ;-) If you are willing to invest some time to make the profile secure, I can write a "probably-working" profile based on my comments above - but I'll need you to test and finetune it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c1 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch --- Comment #1 from Bruno Friedmann <bruno@ioda-net.ch> 2012-01-10 06:52:13 UTC --- /me interested :D Just a comment dyn,slave & log need to be rw for named user log is used and defined in /etc/named (commented by default, but useful for admin if we want logs) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> 2012-01-10 13:00:59 CET --- Sounds like I have a tester :-) Here's a strict version of the profile - most probably too strict. Replace your existing named profile with this one, switch it to complain (learning) mode with aa-complain usr.sbin.named rcapparmor reload You may also want to rotate your "old" audit.log away using cd /var/log/audit old audit.log rcauditd restart Then restart named, use it etc. - and use aa-logprof to update the profile. When done, please attach /var/log/audit/audit.log and the updated named profile to this bugreport. See http://en.opensuse.org/openSUSE:Bugreport_AppArmor for more details, and don't forget to switch the profile back to enforce mode ;-) /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/xad> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /usr/bin/dnskeygen mix, /usr/bin/dnsquery mix, /usr/sbin/named rmix, /usr/sbin/named-xfer mix, /var/lib/named/** r, /var/lib/named/dyn/* rw, /var/lib/named/slave/* rw, /var/lib/named/log/* rw, /{var/,}run/named.pid wl, # which is the correct pid file? this one or ... /{var/,}run/named/named.pid wl, # ... this one? /{var/,}run/ndc wl, /var/opt/novell/xad/ds/krb5kdc/krb5.keytab r, owner /var/tmp/DNS_* rw, owner /tmp/DNS_* rw, /var/lib/named/lib{,64}/** mr, # strict version from bug 716745 / bug 716745 } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c3 --- Comment #3 from Bruno Friedmann <bruno@ioda-net.ch> 2012-01-16 18:15:01 UTC --- Christian, I just need a bit of time ( next week-end ) and find a production dns that can be able to support to be destroyed by apparmor :D Then I will provide you the result. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c4 --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> 2012-03-14 21:40:31 CET --- ping - Bruno, how long are your weekends? ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c5 Paul M <paul-opensuse@mansfield.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul-opensuse@mansfield.co. | |uk --- Comment #5 from Paul M <paul-opensuse@mansfield.co.uk> 2012-06-10 12:47:35 UTC --- this problem was still outstanding for me, I just upgraded my fileserver form 11.4 to 12.1-i586 I tried adding this to usr.sbin.named /var/lib/named/lib/engines/libgost.so rwml, which is what apparmor reported when in complain mode, but it didn't work! I am puzzled why named even wants to modify ligost! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c6 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|bruno@ioda-net.ch |paul-opensuse@mansfield.co. | |uk --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> 2012-06-10 16:51:51 CEST --- (In reply to comment #5)
/var/lib/named/lib/engines/libgost.so rwml,
which is what apparmor reported when in complain mode, but it didn't work!
I am puzzled why named even wants to modify ligost!
Indeed, that looks very strange. Can you please attach your named profile (without the line for libgost.so) and /var/log/audit/audit.log? It would be even better if you could test the (stricter) profile from comment #2. Switch it to complain mode, use named for some time and then attach your audit.log. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c7 Uwe Gansert <ug@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|paul-opensuse@mansfield.co. |suse-beta@cboltz.de |uk | --- Comment #7 from Uwe Gansert <ug@suse.com> 2012-08-03 12:52:59 UTC --- Christion, I don't think Paul will react. If the apparmor profile works for you, can you do a submit request against: https://build.opensuse.org/package/show?package=bind&project=network please? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse-beta@cboltz.de | --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2012-08-03 21:44:12 CEST --- (In reply to comment #7)
Christion, I don't think Paul will react. If the apparmor profile works for you, can you do a submit request
Not really. I'm just the cleaner^W AppArmor maintainer ;-) but I don't use named myself. This means I can't really test the named profile (and Paul's change looks very strange, so I don't want to blindly include it). If someone tests the profile from comment #2 and provides me with the audit.log, I can help to update the profile. (Uwe, you as the named maintainer would be a good "someone" ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c10 --- Comment #10 from Reinhard Max <max@suse.com> 2013-07-24 16:30:11 CEST --- Isn't apparmor more or less dead by now? I think I'll just remove these profiles if they don't work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c11 --- Comment #11 from Bruno Friedmann <bruno@ioda-net.ch> 2013-07-24 15:17:46 UTC --- Sorry can't say anything about it. I've removed completely apparmor from any new installation (12.3 based) I was not satisfy with the way it works. and have spend more time to fix or make try to make it work, than simply monitoring what the daemons was doing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c12 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #12 from Reinhard Max <max@suse.com> 2013-07-24 17:38:19 CEST --- Thanks for the confirmation that removing that crap is a good idea. ;) Fixed for 13.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740327 https://bugzilla.novell.com/show_bug.cgi?id=740327#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-07-24 19:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (740327) was mentioned in https://build.opensuse.org/request/show/184213 Factory / bind -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com