Re: BIND 4.9.7 named follows symlinks, clobbers anything.

Mark.Andrews@CMIS.CSIRO.AU
Sun, 12 Apr 1998 15:27:20 +1000

> [ Posted to BUGTRAQ and comp.protocols.dns.bind ]
> [ Standard apologies if this is already known - a search on the Bugtraq
> archive and Deja News comp.protocols.dns.bind doesn't indicate it.]

The standard place to report bugs in BIND is bind-bugs@vix.com.

The following addresses the issues below and a few others by
change 4.9.7 to do what 8.1.x does, i.e. use to directory
specified in named.{boot,conf} for temporaries and debug dumps.

Mark

*** named/ns_init.c.000 Mon Jun 2 06:34:35 1997
--- named/ns_init.c Sun Apr 12 13:12:05 1998
***************
*** 560,567 ****
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "%s/NsTmp%ld.%d", _PATH_TMPDIR,
! (long)getpid(), tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
--- 560,567 ----
* We will always transfer this zone again
* after a reload.
*/
! sprintf(buf, "NsTmp%ld.%d", (long)getpid(),
! tmpnum++);
source = savestr(buf);
zp->z_flags |= Z_TMP_FILE;
} else
*** named/ns_main.c.000 Mon Jun 2 06:34:36 1997
--- named/ns_main.c Sun Apr 12 14:51:45 1998
***************
*** 1463,1469 ****
dprintf(1, (ddt, "sigprof()\n"));
if (fork() == 0)
{
- (void) chdir(_PATH_TMPDIR);
exit(1);
}
errno = save_errno;
--- 1463,1468 ----
*** named/pathnames.h.000 Thu Dec 15 17:24:22 1994
--- named/pathnames.h Sat Apr 11 10:57:45 1998
***************
*** 74,88 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "/var/tmp/named.run"
! #define _PATH_DUMPFILE "/var/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "/var/tmp/named.stats"
! #define _PATH_XFERTRACE "/var/tmp/xfer.trace"
! #define _PATH_XFERDDT "/var/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/var/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"

#else /* BSD */
--- 74,88 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/usr/libexec/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/var/run/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/var/tmp"

#else /* BSD */
***************
*** 92,106 ****
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "/usr/tmp/named.run"
! #define _PATH_DUMPFILE "/usr/tmp/named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "/usr/tmp/named.stats"
! #define _PATH_XFERTRACE "/usr/tmp/xfer.trace"
! #define _PATH_XFERDDT "/usr/tmp/xfer.ddt"
! #define _PATH_TMPXFER "/usr/tmp/xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */

--- 92,106 ----
#ifndef _PATH_XFER
# define _PATH_XFER "/etc/named-xfer"
#endif
! #define _PATH_DEBUG "named.run"
! #define _PATH_DUMPFILE "named_dump.db"
#ifndef _PATH_PIDFILE
# define _PATH_PIDFILE "/etc/named.pid"
#endif
! #define _PATH_STATS "named.stats"
! #define _PATH_XFERTRACE "xfer.trace"
! #define _PATH_XFERDDT "xfer.ddt"
! #define _PATH_TMPXFER "xfer.ddt.XXXXXX"
#define _PATH_TMPDIR "/usr/tmp"
#endif /* BSD */

>
> The new named(8) happily follows symlinks and clobbers any file on the
> system when it receives a SIGINT. (Used for debugging and statistics
> gathering) SIGINT dumps the named database to /var/tmp/named_dump.db
>
> It will also happily append data to any system file when it receives a
> SIGIOT. SIGIOT appends named statistics to /var/tmp/named.stats.
>
> This problem is probably recursive to previous versions of named but since
> I've already replaced mine I can't confirm that.
>
> On Wed, 8 Apr 1998, Aleph One wrote:
>
> [Snippage of the latest CERT]
>
> > (Note: the in.named(8) man page mentions that sending a SIGINT to the
> > in.named process will dump the current data base and cache to, by
> > default, /var/tmp/named_dump.db. Some sites may find this useful in
> > looking for self-referential CNAMEs. Please see the in.named(8) man
> > page for further details.)
>
>
> This caught my eye in that CERT advisory and after updating my BIND to the
> new 4.9.7 ( RedHat 4.2 Linux 2.0.30 i586 ) and reading through the
> named(8) man pages I ran a quick check.
>
> [root]# cp /etc/shadow /etc/junk.shadow
> [root]# ls -l /etc/junk.shadow
> -r-------- 1 root root 992 Apr 10 12:52 junk.shadow
>
> Now as a non-priv user..
>
> [Luser]# ln -s /etc/junk.shadow /var/tmp/named_dump.db
> [Luser]# ln -s /etc/junk.shadow /var/tmp/named.stats
> [Luser]# logout
>
> (Now if ever root sends a SIGINT or SIGIOT /etc/junk.shadow is toast...)
>
> [root]# kill -SIGIOT [named.pid]
>
> [root]# ls -al /etc/junk.shadow
> -r-------- 1 root root 2251 Apr 10 13:00 /etc/junk.shadow
>
> [root]# less /etc/junk.shadow
>
> someusrr:[removed of course]:10311:-1:-1:-1:-1:-1:-1
> nothrusr:[removed of course]:10316:-1:-1:-1:-1:-1:-1
> +++ Statistics Dump +++ (892238406) Fri Apr 10 13:00:06 1998
> 2368 time since boot (secs)
> 2368 time since reset (secs)
> 0 Unknown query types
> <SNIP>
>
> The statistics dump gets appended to any file on the system.
>
> Now for the real horror -
>
> [root]# kill -SIGINT [named.pid]
> [root]# ls -l /etc/junk.shadow
> -r-------- 1 root root 5249 Apr 10 13:02 /etc/junk.shadow
> [root]# less /etc/junk.shadow
>
> ; Dumped at Fri Apr 10 13:02:40 1998
> ;; ++zone table++
> <SNIP>
>
> No trace of the original remains. Your shadow password file or anything
> else on the system is fried.
>
> Enjoy.
>
>
> --
> Joe H. Technical Support
> General Support: support@blarg.net Blarg! Online Services, Inc.
> Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
>

--
Mark Andrews, CSIRO Mathematical and Information Sciences
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 9325 3148                 INTERNET: Mark.Andrews@cmis.csiro.au
MOBIL: +61 41 442 9884           UUCP:....!uunet!cmis.csiro.au!mark.andrews