Secure testing team - Jan 2009 - Bug#513717: startup script chowns files writable by nsd thus making nsd user==root

Package: nsd
Version: 2.3.7-1.1
Severity: security


In /etc/init.d/nsd script there''s a construct (repeated twice):

       [ -n "${nsd_user}" ] && chown "${nsd_user}:"
"${dbfile}"

where dbfile defaults to /var/lib/nsd/nsd.db, or in chroot, and
the parent directory of it (/var/lib/nsd) is owned by $nsd_user
(default nsd).

The whole chroot idea is to protect system from someone who managed
to get a way to break into the system utilizing a bug in - in this
case - nsd daemon.  Assuming that in worst case, an attacker can
execute arbitrary code on the system as a user running nsd.

Now suppose the attacker changes /var/lib/nsd/nsd.db to be a
symlink to /etc/password.  And after the next restart or reload
of nsd, that file''s owner will be happily changed to nsd.  With
all bad stuff follows it.

I can only guess where this chown come from, in the first place.
But I *think* that proper solution will be to always run
`nsdc rebuild'' as that user instead of root.  Note that running
it as root so that the result is written into nsd-owned directory
does no good too.

This is, as far as I can see, Debian-specific security bug.

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (990, ''stable''), (500,
''testing''), (50, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.28-i686smp (SMP w/2 CPU cores)
Shell: /bin/sh linked to /bin/bash

Versions of packages nsd depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  libssl0.9.8                   0.9.8g-14  SSL shared libraries
ii  libwrap0                      7.6.q-16   Wietse Venema''s TCP
wrappers libra

nsd recommends no packages.

nsd suggests no packages.

-- no debconf information