354679 – >=net-dns/bind-9.4.3_p5-r3: default perms on /var/bind/pri break journal creation and commits

Bug 354679 - >=net-dns/bind-9.4.3_p5-r3: default perms on /var/bind/pri break journal creation and commits

Summary: >=net-dns/bind-9.4.3_p5-r3: default perms on /var/bind/pri break journal crea...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Christian Ruppert (idl0r)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-13 00:45 UTC by Malte Starostik
Modified:	2011-02-25 12:44 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Malte Starostik 2011-02-13 00:45:57 UTC

net-dns/bind installs /var/bind/pri owned by root:named and with mode 750.  However, that directory must be writable for bind in order to create journal files (<zone file>.jnl) for new(ly updatable) zones and commit changes back to the zone files (every 15 minutes and after rndc stop).
Touching a .jnl and making the individual files writable to the named user and/or group is not enough because named first creates a temp file in the same dir and then renames it.

There are two problematic lines in all >=net-dns/bind-9.4.3_p5-r3 ebuilds:
* for first timers towards the end of src_install:
  fperms 0750 /etc/bind /var/bind/pri
* for upgraders towards the end of pkg_postinst:
  ewarn "chmod 0750 /etc/bind /var/bind/pri"

Suggestion: make that 0770 for /var/bind/pri
Alternative suggestion: add sth. like /var/bind/dyn with mode 0770 just for dynamic zones to keep static ones read-only

Reproducible: Always

Steps to Reproduce:
1. Create a new zone allowing updates, e.g.
zone "test" IN {
    type master;
    file "pri/test.zone";
    allow-update { key "update-key"; };
};


2. Try to add a record, e.g.
nsupdate <<EOT
> update add test.test. 86400 in txt "test"
> 
EOT

3. Try the same on a zone with an existing journal

Actual Results:  
For the new zone, nsupdate gives:
update failed: SERVFAIL
and the corresponding entry in the server's syslog:
named[5704]: client 10.26.0.100#15746: updating zone 'test/IN': error: journal open failed: unexpected error

If the zone and journal existed before, the error is more subtle.  The update succeeds, but you get this one periodically:
named[5235]: dumping master file: pri/tmp-cteoOeJeE4: open: permission denied

And the updates from the journal will never make it into the zone file.  This might cause some serious problems if using the max-journal-size option.

Expected Results:  
bind should be able to create its journal files and dump the changes to the master files.

emerge --info net-dns/bind
Portage 2.2.0_alpha20 (default/linux/x86/10.0, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r5-stellaware i686)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.36-gentoo-r5-stellaware-i686-Pentium_III_-Coppermine-with-gentoo-2.0.1
Timestamp of tree: Sat, 12 Feb 2011 22:15:01 +0000
distcc 3.1 i686-pc-linux-gnu [enabled]
app-shells/bash:     4.1_p9
dev-lang/python:     2.6.6-r1, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.7.0
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
Repositories: gentoo stellaware
Installed sets: 
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs --load-average=3.0"
FEATURES="assume-digests binpkg-logs candy distcc distlocks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo/"
LC_ALL="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j3 -l3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/mnt/portage/repo/gentoo"
PORTDIR_OVERLAY="/mnt/portage/repo/stellaware"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="acl apache2 berkdb bzip2 cli cracklib crypt cups curl cxx dri fortran gdbm gpm iconv icu ipv6 jpeg kerberos lm_sensors lzma mmx modules mudflap ncurses nls nptl nptlonly ntp openmp pam pam_krb5 pcre perl png pppd python readline samba session smp snmp sqlite sse ssl sysfs tcpd threads udev unicode usb vhosts vim-syntax x86 xattr xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident v4l vesa via vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

net-dns/bind-9.7.2_p3-r1 was built with the following:
USE="berkdb ipv6 ssl threads xml -dlz -doc -geoip -gssapi -idn -ldap -mysql -odbc -postgres -resolvconf (-selinux) -urandom"

Comment 1 Christian Ruppert (idl0r) gentoo-dev

2011-02-25 12:44:38 UTC

I just added /var/bind/dyn with 0770 to bind >=9.6.3-r1, >=9.7.3-r1 and >=9.8.0rc1.