Bug #67602 for Net-DNS: Let resolver read configs on first instantiation i.s.o. on module compile time

Wed Apr 20 03:33:38 2011 mmaslano [...] redhat.com - Ticket created

Subject:

system configuration is used instead of user defined

If I define my own configuration file, system files are used, which could be security issue. Example: My configuration file is defined as: my $res = Net::DNS::Resolver->new(config_file => '/my/dns.conf'); These files are read even if I defined my own file: /etc/resolv.conf $HOME/.resolv.conf ./.resolv.conf Last 2 files shouldn't be read by default since it's possible security issue - user can drop .resolv.conf pointing to malicious dns server. This issue was found during testing spamassassin with selinux. For details see: https://bugzilla.redhat.com/show_bug.cgi?id=628866#c2

Wed Oct 19 16:09:16 2011 willem [...] cpan.org - Correspondence added

Hi Marcela, A solution (which would not break current behaviour) would be to initialize the default values on the first instantiation of a Net::DNS::Resolver in stead of at module load time which it does now. The initialization from system files should then be postponed when Net::DNS::Resolver->new is called with an config_file argument. I will try to schedule this fix for the 0,68 release. Thanks for reporting the issue, -- Willem

Wed Oct 19 16:09:17 2011 The RT System itself - Status changed from 'new' to 'open'

Thu Nov 08 13:25:25 2012 Mark.Martinec [...] ijs.si - Correspondence added

From:

Mark.Martinec [...] ijs.si

I think the level of this PR should be elevated to 'security'. There should be an easy and well documented way to disable Net::DNS from looking in a current working directory and a user's home directory. Better yet, these two should be disabled by default - only a platform-specific config file should be consulted by default, the same as the system's resolver(3) library routines (or equivalent) do. I wonder how many perl applications do a cwd to some world-writable (or application-writable) temporary directory and invoke a Net::DNS::Resolver from there, unaware of the danger lurking there.

Fri Nov 09 10:07:58 2012 NLNETLABS [...] cpan.org - Correspondence added

On Thu 08 Nov 2012 13:25:25, Mark.Martinec@ijs.si wrote: Show quoted text

> I wonder how many perl applications do a cwd to some > world-writable (or application-writable) temporary directory > and invoke a Net::DNS::Resolver from there, unaware of > the danger lurking there.

Well... have you noticed that they will only be read when they are owned by the real user id of the running process? I quote from Net::DNS::Resolver documentation: Files except for /etc/resolv.conf must be owned by the effective userid running the program or they won't be read. In addition, several environment variables can also contain configuration information; see /ENVIRONMENT.

Sun Dec 16 16:23:16 2012 NLNETLABS [...] cpan.org - Subject changed from 'system configuration is used instead of user defined' to 'Let resolver read configs on first instantiation i.s.o. on module compile time'

Sun Dec 16 16:23:16 2012 NLNETLABS [...] cpan.org - Status changed from 'open' to 'stalled'

Sun Dec 16 16:23:16 2012 NLNETLABS [...] cpan.org - Broken in 0.71 added

Sun Dec 16 16:23:16 2012 NLNETLABS [...] cpan.org - Broken in 0.66 deleted

Sun Dec 16 16:23:16 2012 NLNETLABS [...] cpan.org - Severity Normal changed to Wishlist

Mon May 19 21:47:43 2014 rwfranks [...] acm.org - Correspondence added

From:

rwfranks [...] acm.org

On Wed Apr 20 03:33:38 2011, mmaslano@redhat.com wrote: [snip] Show quoted text

> my $res = Net::DNS::Resolver->new(config_file => '/my/dns.conf'); > > These files are read even if I defined my own file: > /etc/resolv.conf > $HOME/.resolv.conf > ./.resolv.conf

From 0.76, configuration files will no longer be read at module load time. If a config file is specified, no other files will be read.

Mon May 19 21:47:43 2014 The RT System itself - Status changed from 'stalled' to 'open'

Wed Jun 25 05:03:57 2014 NLNETLABS [...] cpan.org - Correspondence added

Fixed in 0.76

Wed Jun 25 05:03:59 2014 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'