Accepting request 819259 from home:jmoellers:branches:network

OBS-URL: https://build.opensuse.org/request/show/819259
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=289

bind-chrootenv.conf

@@ -1,6 +1,6 @@
 # See tmpfiles.d(5) for details
 #Type Path        Mode UID  GID  Age Argument
-d /var/lib/named 755 named named - -
+d /var/lib/named 1775 root named - -
 d /var/lib/named/dev 755 root root - -
 c /var/lib/named/dev/null 666 root root - 1:3
 c /var/lib/named/dev/random 666 root root - 1:8

bind.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jun 30 08:32:21 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
+  so that named, being a/the only member of the "named" group
+  has full r/w access yet cannot change directories owned by root
+  in the case of a compromized named.
+  [bsc#1173307, bind-chrootenv.conf]
+
 -------------------------------------------------------------------
 Thu Jun 18 06:35:35 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
 

bind.conf

@@ -1,6 +1,6 @@
 # See tmpfiles.d(5) for details
 #Type Path        Mode UID  GID  Age Argument
-d /var/lib/named 755 named named - -
+d /var/lib/named 1775 root named - -
 d /var/lib/named/dyn 755 named named - -
 d /var/lib/named/master 755 named named - -
 d /var/lib/named/slave 755 named named - -

bind.spec

@@ -561,7 +561,7 @@ fi
 %if %{with_systemd}
 %{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf
 %endif
-%attr(-,named,named) %dir %{_var}/lib/named
+%attr(1775,root,named) %dir %{_var}/lib/named
 %dir %{_var}/lib/named%{_sysconfdir}
 %dir %{_var}/lib/named%{_sysconfdir}/named.d
 %dir %{_var}/lib/named/dev