Hi I'm running OpenPKG bind-9.4.2-20080229.src.rpm on a centos-5.1 server. When starting named I get an error about the unix command channel :
# /kolab/sbin/named -u kolab-r -g .... 01-May-2008 23:47:03.759 /kolab/etc/bind/named.conf:6: couldn't add command channel /kolab/var/bind/named.ctl: permission denied .... Of course the target directory has the correct rights # ls -la /kolab/var/bind/ total 9220 drwxr-xr-x 2 kolab-r kolab-r 4096 May 2 00:00 . drwxr-xr-x 23 kolab kolab 4096 Apr 3 10:56 .. -rw-r--r-- 1 kolab-r kolab-r 0 May 2 00:00 named.log -rw-r--r-- 1 kolab-r kolab-r 9396239 May 1 23:46 named.log.0 using strace I get : socket(PF_FILE, SOCK_STREAM, 0) = 5 stat64("/kolab/var/bind/named.ctl", 0xbfcf281c) = -1 ENOENT (No such file or directory) close(5) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 5 fcntl64(5, F_DUPFD, 20) = 24 close(5) = 0 fcntl64(24, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(24, F_SETFL, O_RDWR|O_NONBLOCK) = 0 bind(24, {sa_family=AF_FILE, path="/kolab/var/bind/named.ctl"}, 110) = -1 EACCES (Permission denied) close(24) = 0 gettimeofday({1209678840, 917940}, NULL) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0 write(2, "01-May-2008 23:54:00.917 /kolab/"..., 12901-May-2008 23:54:00.917 /kolab/etc/bind/named.conf:6: couldn't add command channel /kolab/var/bind/named.ctl: permi ssion denied ) = 129 after doing a # chmod g+w /kolab/var/bind/ I get another error : 02-May-2008 00:07:59.248 automatic empty zone: B.E.F.IP6.ARPA 02-May-2008 00:07:59.250 isc_socket_permunix: chown(/kolab/var/bind/named.ctl, 19415, 19415): Operation not permitted 02-May-2008 00:07:59.250 /kolab/etc/bind/named.conf:6: couldn't add command channel /kolab/var/bind/named.ctl: failure 02-May-2008 00:07:59.250 ignoring config file logging statement due to -g option strace report : bind(24, {sa_family=AF_FILE, path="/kolab/var/bind/named.ctl"}, 110) = 0 chmod("/kolab/var/bind/named.ctl", 0600) = 0 chown32("/kolab/var/bind/named.ctl", 19415, 19415) = -1 EPERM (Operation not permitted) of course kolab-r has uid and gid 19415 :-) # ls -la /kolab/var/bind/ total 9232 drwxrwxrwx 2 kolab-r kolab-r 4096 May 2 00:07 . drwxr-xr-x 23 kolab kolab 4096 Apr 3 10:56 .. srw------- 1 root root 0 May 2 00:07 named.ctl -rw-r--r-- 1 kolab-r kolab-r 0 May 2 00:00 named.log -rw-r--r-- 1 kolab-r kolab-r 9396239 May 1 23:46 named.log.0 -rw-r--r-- 1 kolab-r kolab-r 6 May 2 00:07 named.pid my named.conf contains : controls { unix "/kolab/var/bind/named.ctl" perm 0600 owner 19415 group 19415 keys { "rndc-key"; }; #inet 127.0.0.1 port 953 #allow { 127.0.0.1; } #keys { "rndc-key"; }; }; It looks like this is a problem with "CAPABILITIES" setup. I removed the two call to linux_setcaps in bind-9.4.2/bin/named/unix/os.c and all (the "bind" and the "chown") the problems diapered. Of course this is not the solution, it was just to be sure about the origin of the problem. We found wich capability to enable to avoid the chown() problem, but not the one to enable to solve the bind() problem (or why the chmod g+w solved the problem ) Here is a patch for the chown() Index: bin/named/unix/os.c --- bin/named/unix/os.c.orig 2006-02-04 00:51:38 +0100 +++ bin/named/unix/os.c 2008-05-02 17:25:33 +0200 @@ -212,6 +212,11 @@ caps |= (1 << CAP_SETGID); /* + * Since we call chown, we need this. + */ + caps |= (1 << CAP_CHOWN); + + /* * Without this, we run into problems reading a configuration file * owned by a non-root user and non-world-readable on startup. */ You can follow the full chat I had with Ralf S. Engelschall at http://marc.info/?l=openpkg-users&m=120965287823716&w=2 Regards -- Alain Spineux aspineux gmail com May the sources be with you ______________________________________________________________________ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org