Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 430316

Summary: net-dns/bind: Feature request: Add a check for sane folder/file permission
Product: Gentoo Linux Reporter: Niklas Johansson <raphexion>
Component: Current packagesAssignee: Mikle Kolyada (RETIRED) <zlogene>
Status: RESOLVED FIXED    
Severity: enhancement CC: chutzpah, jstein
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Niklas Johansson 2012-08-07 12:16:16 UTC 
I have had some problems with permissions when using net-dns/bind. Especially when it comes to the pid-file. When looking online it seems I am not alone.

In /etc/init.d/named there is a couple of checks (e.g, named-checkconf, checkpath). If possible and if time is available, I would like to request a new feature, "a check for sane permissions on folders and files" when starting named.

Examples of folders are:
${CHROOT}/var/bind
${CHROOT}/etc/bind
${CHROOT}/var/run/named

Best wishes
Niklas
Comment 1 Niklas Johansson 2012-08-07 16:19:51 UTC 
I am really bad in bash and ebuild scripts but I tried to do an implementation. It is probably horrible but at least I tried.

permission_user_match() {
    file_id=$(stat --format="%u" $2)
    user_id=$(id -u $1)
    if [ "$user_id" != "$file_id" ]; then
	eerror "$1 has the wrong user permission"
    fi
}

permission_group_match() {
    file_gid=$(stat --format="%g" $2)
    user_gid=$(id -g $1)
    if [ "$user_gid" != "$file_gid" ]; then
	eerror "$1 has the wrong group permission"
    fi
}

user_may_write() {
    access=$(stat --format="%A" $2)
    if [ "${access:2:1}" != "w" ]; then
	eerror "$1 may not write to $2"
    fi
}

group_may_write() {
    access=$(stat --format="%A" $2)
    if [ "${access:5:1}" != "w" ]; then
	eerror "$1 may not write to $2"
    fi
}

checkpermissions() {
        ebegin "Checking named permissions"

	permission_group_match named ${CHROOT}/var/bind
	permission_group_match named ${CHROOT}/etc/bind      
	permission_group_match named ${CHROOT}/var/run/named

	group_may_write named ${CHROOT}/var/bind
	group_may_write named ${CHROOT}/etc/bind      
	group_may_write named ${CHROOT}/var/run/named

        eend 0
        return 0
}