Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1917061 - bind logratore.d config is owned by root:named
Summary: bind logratore.d config is owned by root:named
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-16 23:12 UTC by Mikhail Novosyolov
Modified: 2021-03-19 19:53 UTC (History)
10 users (show)

Fixed In Version: bind-9.16.11-5.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-19 17:35:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Mikhail Novosyolov 2021-01-16 23:12:24 UTC 
In bind.spec:

%defattr(0640,root,named,0750)
<...>
%config(noreplace) %{_sysconfdir}/logrotate.d/named

There is no need to own this config by named group. It must be owned by root:root.
Comment 1 Ben Cotton 2021-02-09 15:40:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.
Comment 2 Petr Menšík 2021-02-26 18:31:40 UTC 
Does it cause any harm to be readable by named group? There is no secret in that file, it might change also group to root and mode to 644. It is the only logrotate on my machine not readable by world. I think there might be some historical reason for it, but it seems safe to be readable just by everyone, including named.

It is important to be writeable just by root, which it is already.
Comment 3 Mikhail Novosyolov 2021-02-26 18:39:38 UTC 
(In reply to Petr Menšík from comment #2)
> Does it cause any harm to be readable by named group? There is no secret in
> that file, it might change also group to root and mode to 644. It is the
> only logrotate on my machine not readable by world. I think there might be
> some historical reason for it, but it seems safe to be readable just by
> everyone, including named.
> 
> It is important to be writeable just by root, which it is already.

application by itself must not be able to change any configs for security reasons, so, to my mind, it is a very good idea to avoid unneeded writability
Comment 4 Mikhail Novosyolov 2021-02-26 18:42:34 UTC 
Hm, 0640 (-rw-r-----) does not give write access to the named group. Then it is not so bad.

> but it seems safe to be readable just by everyone, including named.
+1
Comment 5 Fedora Update System 2021-03-01 20:34:09 UTC 
FEDORA-2021-8b4744f152 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8b4744f152
Comment 6 Fedora Update System 2021-03-01 20:34:10 UTC 
FEDORA-2021-8b4744f152 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8b4744f152
Comment 7 Fedora Update System 2021-03-02 04:30:57 UTC 
FEDORA-2021-8b4744f152 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8b4744f152`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8b4744f152

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-03-19 17:35:28 UTC 
FEDORA-2021-8b4744f152 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-03-19 19:53:28 UTC 
FEDORA-2021-8b4744f152 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.