2.8 Set Other Permissions Read-Only for All BIND Directories and Files - files

Information

All the directories and files in BIND home and run time directories should have other permissions set to not be writable. Configuration files should, of course, not be writable by named, and any run time files created by BIND will be owned by named and writable by the user. A chroot'ed tmp directory only needs to be writable by the named group. Therefore, there are no exceptions required.

Rationale:

Restricting permissions on the files provides defense in depth and will reduce the probability of unauthorized modifications to important files. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able to modify configuration files.

Solution

Perform the following:

Capture the output from the audit commands above into a file with the name $TMPDIR/write-files.txt

Review the purpose for the identified files and either delete them if the file is not needed, or change the permissions of the file to not be writable by group or other.

The following commands can be used to change the permissions of the appropriate files.

# find $BIND_HOME $RUNDIR -type f -perm /022 > $TMPDIR/write-files.txt
# xargs -a $TMPDIR/write-files.txt chmod go-w
# rm $TMPDIR/write-files.txt

Default Value:

The default rpm install has all BIND directories and files without group or other write access.

See Also

https://workbench.cisecurity.org/files/2997