Ondřej Surý wrote:
> Well,
>
> I am not going to argue whether this is grave security bug or not. But
I didn't want to mark it as "grave". In fact, I did something wrong
while submitting the bug, so it ended up with wrong (or no) severity.
It's definitely a security-related issue.
> please note that there hasn't been single security issue I am aware of
> in nsd2 (and nsd3), so this bug is only hypothetical.
If there's no security bugs in there, there's no need to run it as
non-root user. As simple as that. It's classical principle of least
privilege. And by doing such a simple thing as chown we're breaking
that principle. But I already mentioned that in the original
bugreport.
> However I am going to replace first two lines of start: to:
>
> if ${rebuild} && [ \( "${zonesfile}" -nt "${dbfile}" \) -a -n
> "${nsd_user}" ]; then /sbin/start-stop-daemon --start -c nsd:nsd
> --exec /usr/sbin/nsdc -- rebuild; fi
That'd be good solution.
Note that the same thing applies to the directory itself, in nsd3
startup script as well.
> And nsd2 is going to be dropped and replaced with nsd3 in next stable.
Yeah, I'd say go for it. I didn't know about nsd3 package when
filing this bug, but now I do and have nsd3 installed already,
and it too contains several issues of the same sort. Mostly
trivial to fix, but without the whole thing looks.. dirty.
Please don't get me wrong here. I'm not nitpicking and not
trying to find something to curse about. I'm not saying that
nsd (or unbound or other software) is buggy. I'm pointing
out possible, quite obvious, problems and wrong coding style,
so to say, in a hope to fix them. That thing - the chown
call - I noticed it while looking at the package for the first
time (I didn't know what nsd is), and it immediately took
my attention as a Very Bad Thing To Do. Which is, by its
own, is a very bad thing for a first impression, don't you
think?
Thank you for working on this matter.
/mjt
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
