Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 430316 - Feature request: Add a check for sane folder/file permission in net-dns/bind
Summary: Feature request: Add a check for sane folder/file permission in net-dns/bind
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Christian Ruppert (idl0r)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-07 12:16 UTC by Niklas Johansson
Modified: 2012-08-07 16:19 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Niklas Johansson 2012-08-07 12:16:16 UTC
I have had some problems with permissions when using net-dns/bind. Especially when it comes to the pid-file. When looking online it seems I am not alone.

In /etc/init.d/named there is a couple of checks (e.g, named-checkconf, checkpath). If possible and if time is available, I would like to request a new feature, "a check for sane permissions on folders and files" when starting named.

Examples of folders are:
${CHROOT}/var/bind
${CHROOT}/etc/bind
${CHROOT}/var/run/named

Best wishes
Niklas
Comment 1 Niklas Johansson 2012-08-07 16:19:51 UTC
I am really bad in bash and ebuild scripts but I tried to do an implementation. It is probably horrible but at least I tried.

permission_user_match() {
    file_id=$(stat --format="%u" $2)
    user_id=$(id -u $1)
    if [ "$user_id" != "$file_id" ]; then
	eerror "$1 has the wrong user permission"
    fi
}

permission_group_match() {
    file_gid=$(stat --format="%g" $2)
    user_gid=$(id -g $1)
    if [ "$user_gid" != "$file_gid" ]; then
	eerror "$1 has the wrong group permission"
    fi
}

user_may_write() {
    access=$(stat --format="%A" $2)
    if [ "${access:2:1}" != "w" ]; then
	eerror "$1 may not write to $2"
    fi
}

group_may_write() {
    access=$(stat --format="%A" $2)
    if [ "${access:5:1}" != "w" ]; then
	eerror "$1 may not write to $2"
    fi
}

checkpermissions() {
        ebegin "Checking named permissions"

	permission_group_match named ${CHROOT}/var/bind
	permission_group_match named ${CHROOT}/etc/bind      
	permission_group_match named ${CHROOT}/var/run/named

	group_may_write named ${CHROOT}/var/bind
	group_may_write named ${CHROOT}/etc/bind      
	group_may_write named ${CHROOT}/var/run/named

        eend 0
        return 0
}