Hi
I'm running OpenPKG bind-9.4.2-20080229.src.rpm on a centos-5.1 server.
When starting named I get an error about the unix command channel :
# /kolab/sbin/named -u kolab-r -g
....
01-May-2008 23:47:03.759 /kolab/etc/bind/named.conf:6: couldn't add
command channel /kolab/var/bind/named.ctl: permission denied
....
Of course the target directory has the correct rights
# ls -la /kolab/var/bind/
total 9220
drwxr-xr-x 2 kolab-r kolab-r 4096 May 2 00:00 .
drwxr-xr-x 23 kolab kolab 4096 Apr 3 10:56 ..
-rw-r--r-- 1 kolab-r kolab-r 0 May 2 00:00 named.log
-rw-r--r-- 1 kolab-r kolab-r 9396239 May 1 23:46 named.log.0
using strace I get :
socket(PF_FILE, SOCK_STREAM, 0) = 5
stat64("/kolab/var/bind/named.ctl", 0xbfcf281c) = -1 ENOENT (No such
file or directory)
close(5) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 5
fcntl64(5, F_DUPFD, 20) = 24
close(5) = 0
fcntl64(24, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(24, F_SETFL, O_RDWR|O_NONBLOCK) = 0
bind(24, {sa_family=AF_FILE, path="/kolab/var/bind/named.ctl"}, 110) =
-1 EACCES (Permission denied)
close(24) = 0
gettimeofday({1209678840, 917940}, NULL) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2944, ...}) = 0
write(2, "01-May-2008 23:54:00.917 /kolab/"..., 12901-May-2008
23:54:00.917 /kolab/etc/bind/named.conf:6: couldn't add command
channel /kolab/var/bind/named.ctl: permi
ssion denied
) = 129
after doing a
# chmod g+w /kolab/var/bind/
I get another error :
02-May-2008 00:07:59.248 automatic empty zone: B.E.F.IP6.ARPA
02-May-2008 00:07:59.250 isc_socket_permunix:
chown(/kolab/var/bind/named.ctl, 19415, 19415): Operation not
permitted
02-May-2008 00:07:59.250 /kolab/etc/bind/named.conf:6: couldn't add
command channel /kolab/var/bind/named.ctl: failure
02-May-2008 00:07:59.250 ignoring config file logging statement due to -g option
strace report :
bind(24, {sa_family=AF_FILE, path="/kolab/var/bind/named.ctl"}, 110) = 0
chmod("/kolab/var/bind/named.ctl", 0600) = 0
chown32("/kolab/var/bind/named.ctl", 19415, 19415) = -1 EPERM
(Operation not permitted)
of course kolab-r has uid and gid 19415 :-)
# ls -la /kolab/var/bind/
total 9232
drwxrwxrwx 2 kolab-r kolab-r 4096 May 2 00:07 .
drwxr-xr-x 23 kolab kolab 4096 Apr 3 10:56 ..
srw------- 1 root root 0 May 2 00:07 named.ctl
-rw-r--r-- 1 kolab-r kolab-r 0 May 2 00:00 named.log
-rw-r--r-- 1 kolab-r kolab-r 9396239 May 1 23:46 named.log.0
-rw-r--r-- 1 kolab-r kolab-r 6 May 2 00:07 named.pid
my named.conf contains :
controls {
unix "/kolab/var/bind/named.ctl"
perm 0600 owner 19415 group 19415
keys { "rndc-key"; };
#inet 127.0.0.1 port 953
#allow { 127.0.0.1; }
#keys { "rndc-key"; };
};
It looks like this is a problem with "CAPABILITIES" setup.
I removed the two call to linux_setcaps in bind-9.4.2/bin/named/unix/os.c
and all (the "bind" and the "chown") the problems diapered.
Of course this is not the solution, it was just to be sure about
the origin of the problem.
We found wich capability to enable to avoid the chown() problem, but
not the one to enable
to solve the bind() problem (or why the chmod g+w solved the problem )
Here is a patch for the chown()
Index: bin/named/unix/os.c
--- bin/named/unix/os.c.orig 2006-02-04 00:51:38 +0100
+++ bin/named/unix/os.c 2008-05-02 17:25:33 +0200
@@ -212,6 +212,11 @@
caps |= (1 << CAP_SETGID);
/*
+ * Since we call chown, we need this.
+ */
+ caps |= (1 << CAP_CHOWN);
+
+ /*
* Without this, we run into problems reading a configuration file
* owned by a non-root user and non-world-readable on startup.
*/
You can follow the full chat I had with Ralf S. Engelschall at
http://marc.info/?l=openpkg-users&m=120965287823716&w=2
Regards
--
Alain Spineux
aspineux gmail com
May the sources be with you
______________________________________________________________________
OpenPKG http://openpkg.org
User Communication List openpkg-users@openpkg.org
