Package: nsd3
Version: 3.2.3-1
Severity: normal
Tags: patch
Current /etc/init.d/nsd3 contains the following code which gets executed
_every_ time the script is run, even before checking the cli arguments:
--- cut ---
mkdir -p /var/run/nsd3 && chown -R "$nsd_user" /var/run/nsd3
--- cut ---
This is dangerous from the security point of view.
I already reported similar issue in nsd package, with uncertain effect.
So let me describe the background again.
Network daemons usually are run under special unprivileged user account.
This is done in order to minimize possible harm that can be done if the
daemon gets compromised: basically, when daemon is running with only
limited set of privileges it may not do as much bad as if it were
running as root. This is a commonly recognized principle.
In a similar way, special care should be taken when dealing with
directories writable by network daemons, treating them as untrusted data
the same way as we don't trust daemon itself. Because if the daemon is
compromised, an attacker is able to manipulate these files, including
creating various tricks to gain more privileges.
Here, we are unconditionally and recursively chown'ing whole directory
owned by the network-facing daemon, while running as root. That
directory may contain, for example, links (created by an attacker who
successfully exploited a bug in nsd) to other files which will be owned
by nsd user after we executed chown.
Just to show an example - it's obviously not as simple as that because
/var/run and / are usually on different filesystems: I, as a "bad
guy", can do
ln /etc/passwd /var/run/nsd/passwd
and wait till admin executes /etc/init.d/nsd3. After which the system
is mine.