Control: tag -1 patch moreinfo On Tue, 2012-12-25 at 12:46 +0100, Bastian Blank wrote: > Package: bind9 > Version: 1:9.8.1.dfsg.P1-4.4 > Severity: grave > File: /usr/lib/libdns.so.81.3.1 > > libdns is configured with a list of openssl engines to load somewhere > after startup (lib/dns/dst_api.c). It errors out if it can't load one of > them. gost is _always_ an dynamic engine loaded as dynamic library so it > will fail at arbitrary times. > > In this case named exits with a fatal error: > | Dec 25 11:43:09 triphammer named[13958]: initializing DST: openssl failure > | Dec 25 11:43:09 triphammer named[13958]: exiting (due to fatal error) > > This initialization happens _after_ named calles chroot, so it will > completely fail to work in this case.
This patch seems to work - at least, it was enough to get the daemon running in a chroot with only configuration and var directories. Please can you confirm whether this works for a real installation? Ben. -- Ben Hutchings Any smoothly functioning technology is indistinguishable from a rigged demo.
Author: Ben Hutchings <b...@decadent.org.uk> Description: Initialise OpenSSL before calling chroot() Bug-Debian: http://bugs.debian.org/696661 OpenSSL may need to load additional shared libraries, in particular for the gost algorithm. This will not work after we chroot(), so we need to initialise it before doing that. Move the calls to dst_lib_init2() and isc_entropy_create() into setup() and calls to the corresponding cleanup into cleanup(). --- a/bin/named/main.c +++ b/bin/named/main.c @@ -616,14 +616,6 @@ ISC_LOG_INFO, "using up to %u sockets", socks); } - result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_entropy_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -639,10 +631,6 @@ destroy_managers(void) { ns_lwresd_shutdown(); - isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) - isc_entropy_detach(&ns_g_fallbackentropy); - /* * isc_taskmgr_destroy() will block until all tasks have exited, */ @@ -743,6 +731,21 @@ } #endif + result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_entropy_create() failed: %s", + isc_result_totext(result)); + + /* + * DST may load additional libraries, which must be done before + * chroot + */ + result = dst_lib_init2(ns_g_mctx, ns_g_entropy, + ns_g_engine, ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("dst_lib_init2() failed: %s", + isc_result_totext(result)); + #ifdef ISC_PLATFORM_USETHREADS /* * Check for the number of cpu's before ns_os_chroot(). @@ -909,6 +912,12 @@ ns_builtin_deinit(); + dst_lib_destroy(); + + isc_entropy_detach(&ns_g_entropy); + if (ns_g_fallbackentropy != NULL) + isc_entropy_detach(&ns_g_fallbackentropy); + /* * Add calls to unregister sdb drivers here. */ --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5483,10 +5483,6 @@ ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); - CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, - ns_g_engine, ISC_ENTROPY_GOODONLY), - "initializing DST"); - server->tkeyctx = NULL; CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), @@ -5633,8 +5629,6 @@ if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); - dst_lib_destroy(); - isc_event_free(&server->reload_event); INSIST(ISC_LIST_EMPTY(server->viewlist));
signature.asc
Description: This is a digitally signed message part