Bugzilla Bug 220167

After upgrading from net-dns-bind-9.4.1_p1, named failed to start with the
error message "Starting named: named: capset failed: Operation not permitted:
please ensure that the capset kernel module is loaded. see insmod(8)". Version
9.4.1_p1 worked fine with the same USE flags. There is a warning about threads
and a vserver environment, so even though I am not using a vserver environment
I disabled the threads USE flag and then named started correctly.

[ebuild   R   ] net-dns/bind-9.4.2  USE="berkdb doc idn ipv6 ldap odbc postgres
resolvconf ssl -dlz -mysql (-selinux) -threads -urandom" 0 kB

emerge --info
Portage 2.1.5_rc6 (default/linux/x86/2008.0/desktop, gcc-4.2.3, glibc-2.7-r2,
2.6.25-gentoo-r2 i686)
=================================================================
System uname: 2.6.25-gentoo-r2 i686 Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
Timestamp of tree: Sat, 03 May 2008 19:15:02 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r11, 2.5.2-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.2.3
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.62
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.25-r1
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=native -mtune=native -pipe -ggdb"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=native -mtune=native -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildsyspkg distlocks installsources parallel-fetch sandbox sfperms
splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
http://gentoo.blueyonder.co.uk http://gentoo.tiscali.nl/
http://gentoo.mirror.solnet.ch http://pandemonium.tiscali.de/pub/gentoo/"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS=""
LINGUAS="en_GB en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/musicbrainz
/usr/portage/local/layman/sunrise /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac aalib acl acpi aim alsa apache2 arts audiofile avi
bash-completion berkdb bluetooth bonobo branding browserplugin bzip2 bzlib
cairo caps cddb cdparanoia cdr cjk cli cracklib crypt cups curl cvs dbus
directfb doc dri dts dvd dvdr dvdread eds emacs emboss encode esd ethereal evo
examples exif expat fam fbcon ffmpeg fftw firefox flac foomaticdb fortran ftp
gcj gd gdbm gif glut gmp gnome gnome-keyring gnutls gphoto2 gpm graphviz
gstreamer gtk gtk2 gtkhtml guile hal iconv icq idn ieee1394 imagemagick imlib
ipv6 isdnlog jabber jack java javascript jbig jce jpeg jpeg2k junit kde
kdehiddenvisibility kerberos ladspa latex lcms ldap leim libgda libnotify
libsamplerate libwww lirc lm_sensors logrotate lua m17n-lib mad matroska mbox
midi mikmod milter mime mmap mmx mng modplug mono mp3 mpeg mpi mplayer msn
mudflap musepack ncurses nls nptl nptlonly nsplugin odbc offensive ogg
oggvorbis openal opengl openmp oscar oss pam pcntl pcre pdf perl png postgres
ppds pppd profile pulseaudio python qt3 qt3support qt4 quicktime readline
recode reflection ruby sasl sdl seamonkey session sharedmem sndfile snmp
sockets sox speex spell spl sqlite3 sse sse2 ssl startup-notification
subversion svg sysvipc tcl tcltk tcpd tetex theora threads tiff tk truetype
uicktime unicode usb v4l v4l2 vim-syntax vorbis win32codecs wmf wxwindows x264
x86 xattr xcb xface xine xml xml2 xorg xulrunner xv xvid yahoo zlib"
ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw
multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias
auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file
authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user
autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires
ext_filter file_cache filter headers ident imagemap include info log_config
logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer
proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir
usertrack vhost_alias" APACHE2_MPMS="worker" CAMERAS="canon ptp2" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en"
LIRC_DEVICES="asusdh" USERLAND="GNU" VIDEO_CARDS="radeon vesa fbdev vga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

(In reply to comment #0)
> After upgrading from net-dns-bind-9.4.1_p1, named failed to start with the
> error message "Starting named: named: capset failed: Operation not permitted:
> please ensure that the capset kernel module is loaded. see insmod(8)". Version
> 9.4.1_p1 worked fine with the same USE flags. There is a warning about threads
> and a vserver environment, so even though I am not using a vserver environment
> I disabled the threads USE flag and then named started correctly.

you have the capability module available (or directly built into your kernel)?

Same here - SECURITY_CAPABILITIES is set to "=y" in .config (by GRSEC), kernel
= hardened-sources-2.6.24-r1

Created an attachment (id=151787) [details]
Kernel Configuration

I think that I have enabled all of the capability options. grepping the kernel
source I cannot see any indication of a module called 'capset'

emerge -1 sys-libs/libcap

Sorry I'll be don't right. USE="-threads" emerge -av net-dns/bind && emerge -1
sys-libs/libcap

You might be interested in this thread of the linux kernel mailing list:

http://www.gossamer-threads.com/lists/linux/kernel/875073

As it seems libcap needs an update..

(In reply to comment #6)
> You might be interested in this thread of the linux kernel mailing list:
> 
> http://www.gossamer-threads.com/lists/linux/kernel/875073
> 
> As it seems libcap needs an update..
> 

This indicates an upgrade to libcap-2.05 but it is failing for me using
libcap-2.08-r1

(In reply to comment #6)
> You might be interested in this thread of the linux kernel mailing list:
> 
> http://www.gossamer-threads.com/lists/linux/kernel/875073
> 
> As it seems libcap needs an update..
> 

ldd `which named` | grep cap

The problem arose after the upgrade linux-headers-2.6.25. Bind and squid
stopped working. If compile bind with linux-headers-2.6.24 - everything works.
By analogy of how this issue decided by squid, i`m made little patch, solves
this problem with bind-9.4.2. Compile and work fine with USE="threads" and
linux-headers-2.6.25-r3

diff -Nuar bind-9.4.2.orig/bin/named/unix/os.c bind-9.4.2/bin/named/unix/os.c
--- bind-9.4.2.orig/bin/named/unix/os.c 2006-02-04 01:51:38.000000000 +0200
+++ bind-9.4.2/bin/named/unix/os.c      2008-06-03 10:21:56.000000000 +0300
@@ -159,7 +159,11 @@
                return;

        memset(&caphead, 0, sizeof(caphead));
+#ifdef  _LINUX_CAPABILITY_VERSION_1
+       caphead.version = _LINUX_CAPABILITY_VERSION_1;
+#else
        caphead.version = _LINUX_CAPABILITY_VERSION;
+#endif
        caphead.pid = 0;
        memset(&cap, 0, sizeof(cap));
        cap.effective = caps;

(In reply to comment #9)

Thank you! This works fine here :)
Now i can compile with threads!

I would have an purpose maybe ;)
What about using _LINUX_CAPABILITY_VERSION_3 and libcap 2.10? This works also,
but fixes the nasty warning:
warning: `named' uses 32-bit capabilities (legacy support in use)

The only thing is, that we need >=sys-libs/libcap-2.10 for it...

Conrad Kostecki is right.
i modified the ebuild and the patch, compilation was smooth.
named started, no warning messages in dmesg, normal operation for some hours.

# diff -Nuar /usr/portage/net-dns/bind/bind-9.5.0_p1-r2.ebuild
/usr/portage/local/blackbit/net-dns/bind/bind-9.5.0_p1-r2.ebuild
--- /usr/portage/net-dns/bind/bind-9.5.0_p1-r2.ebuild   2008-07-27
10:56:35.000000000 +0200
+++ /usr/portage/local/blackbit/net-dns/bind/bind-9.5.0_p1-r2.ebuild   
2008-08-01 17:16:09.809471034 +0200
@@ -26,7 +26,8 @@

 RDEPEND="${DEPEND}
        selinux? ( sec-policy/selinux-bind )
-       resolvconf? ( || ( net-dns/openresolv net-dns/resolvconf-gentoo ) )"
+       resolvconf? ( || ( net-dns/openresolv net-dns/resolvconf-gentoo ) )
+       threads? ( >=sys-libs/libcap-2.1.0 )"

 S="${WORKDIR}/${PN}-${MY_PV}"

@@ -57,6 +58,8 @@
                        "${i}"
        done

+       use threads && epatch "${FILESDIR}"/${PN}-9.5.0-libcap.patch
+
        use dlz && epatch "${FILESDIR}"/${PN}-9.4.0-dlzbdb-close_cursor.patch

        # bind fails to reconnect to MySQL5 databases, bug #180720, patch by
Nicolas Brousse
#

# cat /usr/portage/local/blackbit/net-dns/bind/files/bind-9.5.0-libcap.patch
--- bin/named/unix/os.c 2008-08-01 15:20:07.401472392 +0200
+++ bin/named/unix/os.c 2008-08-01 15:24:13.941474019 +0200
@@ -170,7 +170,11 @@
                return;
 #ifndef HAVE_LIBCAP
        memset(&caphead, 0, sizeof(caphead));
+#ifdef _LINUX_CAPABILITY_VERSION_3
+       caphead.version = _LINUX_CAPABILITY_VERSION_3;
+#else
        caphead.version = _LINUX_CAPABILITY_VERSION;
+#endif
        caphead.pid = 0;
        memset(&cap, 0, sizeof(cap));
        cap.effective = caps;
#

bind-9.5.0_p2 does not seem to correct this problem.
i was able to build and start 9.5.0_p2 with a unmodified ebuild or adding the
patch. some time later i got in the log
[kernel] warning: `named' uses deprecated v2 capabilities in a way that may be
insecure.
since it was linked to libcap (there is no dependency for it in the ebuild!) i
could no more start bind after unmerging libcap. was 9.5.0_p1 linked to libcap
too? i guess so, but cannot check easily because the ebuild was removed from
the tree.
building 9.5.0_p2 without libcap is possible, but it does not start with well
known
"Starting named: named: capset failed: Operation not permitted: please ensure
that the capset kernel module is loaded. see insmod(8)"
the ebuild modification and dependency for libcap >=2.10 seems to work best.
normal operation and no warnings. the file to which the patch is applied was
not changed, so the patch can be used unchanged.

This should be fixed in =bind-9.4.2_p2-r1 and =bind-9.5.0_p2-r1. Please test
and reopen this bug if necessary.

(In reply to comment #14)
> This should be fixed in =bind-9.4.2_p2-r1 and =bind-9.5.0_p2-r1. Please test
> and reopen this bug if necessary.
> 

I just can't understand after reading this post, how a version of bind wothout
the patch and the dependency could go stable???