> [ Posted to BUGTRAQ and comp.protocols.dns.bind ] > [ Standard apologies if this is already known - a search on the Bugtraq > archive and Deja News comp.protocols.dns.bind doesn't indicate it.] The standard place to report bugs in BIND is bind-bugsat_private The following addresses the issues below and a few others by change 4.9.7 to do what 8.1.x does, i.e. use to directory specified in named.{boot,conf} for temporaries and debug dumps. Mark *** named/ns_init.c.000 Mon Jun 2 06:34:35 1997 --- named/ns_init.c Sun Apr 12 13:12:05 1998 *************** *** 560,567 **** * We will always transfer this zone again * after a reload. */ ! sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR, ! (long)getpid(), tmpnum++); source = savestr(buf); zp->z_flags |= Z_TMP_FILE; } else --- 560,567 ---- * We will always transfer this zone again * after a reload. */ ! sprintf(buf, "NsTmp%ld.%d", (long)getpid(), ! tmpnum++); source = savestr(buf); zp->z_flags |= Z_TMP_FILE; } else *** named/ns_main.c.000 Mon Jun 2 06:34:36 1997 --- named/ns_main.c Sun Apr 12 14:51:45 1998 *************** *** 1463,1469 **** dprintf(1, (ddt, "sigprof()\n")); if (fork() == 0) { - (void) chdir(_PATH_TMPDIR); exit(1); } errno = save_errno; --- 1463,1468 ---- *** named/pathnames.h.000 Thu Dec 15 17:24:22 1994 --- named/pathnames.h Sat Apr 11 10:57:45 1998 *************** *** 74,88 **** #ifndef _PATH_XFER # define _PATH_XFER "/usr/libexec/named-xfer" #endif ! #define _PATH_DEBUG "/var/tmp/named.run" ! #define _PATH_DUMPFILE "/var/tmp/named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/var/run/named.pid" #endif ! #define _PATH_STATS "/var/tmp/named.stats" ! #define _PATH_XFERTRACE "/var/tmp/xfer.trace" ! #define _PATH_XFERDDT "/var/tmp/xfer.ddt" ! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/var/tmp" #else /* BSD */ --- 74,88 ---- #ifndef _PATH_XFER # define _PATH_XFER "/usr/libexec/named-xfer" #endif ! #define _PATH_DEBUG "named.run" ! #define _PATH_DUMPFILE "named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/var/run/named.pid" #endif ! #define _PATH_STATS "named.stats" ! #define _PATH_XFERTRACE "xfer.trace" ! #define _PATH_XFERDDT "xfer.ddt" ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/var/tmp" #else /* BSD */ *************** *** 92,106 **** #ifndef _PATH_XFER # define _PATH_XFER "/etc/named-xfer" #endif ! #define _PATH_DEBUG "/usr/tmp/named.run" ! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/etc/named.pid" #endif ! #define _PATH_STATS "/usr/tmp/named.stats" ! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace" ! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt" ! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/usr/tmp" #endif /* BSD */ --- 92,106 ---- #ifndef _PATH_XFER # define _PATH_XFER "/etc/named-xfer" #endif ! #define _PATH_DEBUG "named.run" ! #define _PATH_DUMPFILE "named_dump.db" #ifndef _PATH_PIDFILE # define _PATH_PIDFILE "/etc/named.pid" #endif ! #define _PATH_STATS "named.stats" ! #define _PATH_XFERTRACE "xfer.trace" ! #define _PATH_XFERDDT "xfer.ddt" ! #define _PATH_TMPXFER "xfer.ddt.XXXXXX" #define _PATH_TMPDIR "/usr/tmp" #endif /* BSD */ > > The new named(8) happily follows symlinks and clobbers any file on the > system when it receives a SIGINT. (Used for debugging and statistics > gathering) SIGINT dumps the named database to /var/tmp/named_dump.db > > It will also happily append data to any system file when it receives a > SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats. > > This problem is probably recursive to previous versions of named but since > I've already replaced mine I can't confirm that. > > On Wed, 8 Apr 1998, Aleph One wrote: > > [Snippage of the latest CERT] > > > (Note: the in.named(8) man page mentions that sending a SIGINT to the > > in.named process will dump the current data base and cache to, by > > default, /var/tmp/named_dump.db. Some sites may find this useful in > > looking for self-referential CNAMEs. Please see the in.named(8) man > > page for further details.) > > > This caught my eye in that CERT advisory and after updating my BIND to the > new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the > named(8) man pages I ran a quick check. > > [root]# cp /etc/shadow /etc/junk.shadow > [root]# ls -l /etc/junk.shadow > -r-------- 1 root root 992 Apr 10 12:52 junk.shadow > > Now as a non-priv user.. > > [Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db > [Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats > [Luser]# logout > > (Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...) > > [root]# kill -SIGIOT [named.pid] > > [root]# ls -al /etc/junk.shadow > -r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow > > [root]# less /etc/junk.shadow > > someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1 > nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1 > +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998 > 2368 time since boot (secs) > 2368 time since reset (secs) > 0 Unknown query types > <SNIP> > > The statistics dump gets appended to any file on the system. > > Now for the real horror - > > [root]# kill -SIGINT [named.pid] > [root]# ls -l /etc/junk.shadow > -r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow > [root]# less /etc/junk.shadow > > ; Dumped at Fri Apr 10 13:02:40 1998 > ;; ++zone table++ > <SNIP> > > No trace of the original remains. Your shadow password file or anything > else on the system is fried. > > Enjoy. > > > -- > Joe H. Technical Support > General Support: supportat_private Blarg! Online Services, Inc. > Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net > -- Mark Andrews, CSIRO Mathematical and Information Sciences Locked Bag 17, North Ryde, NSW 2113, Australia. PHONE: +61 2 9325 3148 INTERNET: Mark.Andrewsat_private MOBIL: +61 41 442 9884 UUCP:....!uunet!cmis.csiro.au!mark.andrews
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:04 PDT