package: bind9 version: all severity: wishlist
Hello! This bug is filed as wish. It's more or less related to #212226 (bind9 doesn't start when capabilities aren't available) which is set to wontfix. I would vote for re-thinking about fixing: There is already a patch available that fixes it. We use that heavily in linux-vserver.org, because in the so called 'security contexs' we use (like virtual servers, guests, jails ...) don't get any capability. Unlike other v12n solutions (XEN, UML ..) in linux-vserver there is no own kernel per context: So we dont allow guests to get capabilities. Linux-vserver is already available in Debian for a long time (packages util-vserver, vserver-debiantools), recently linux-image-2.6.16-1-vserver.* entered Debian Sid even as ready-to-run kernel. The patch was made by Daniel Hokka Zakrisson. It works quite simple: It checks if there are capabilities available and uses them. This is the usual and under normal circumstances the more secure way. If there are no capabilities available (especially CAP_SYS_RESOURCE, which is requested by bind) it starts without them. With linux-vserver.org this way of running bind make it _more_ secure. The original source of the patch is here: http://daniel.hozac.com/stuff/bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch And the source of the patch itself is also to be found at the end of that mail. rgds, Andreas -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net $ cat bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch diff -Naurp bind-9.2.3.orig/bin/named/unix/os.c bind-9.2.3/bin/named/unix/os.c --- bind-9.2.3.orig/bin/named/unix/os.c 2004-11-30 11:04:45.000000000 +0100 +++ bind-9.2.3/bin/named/unix/os.c 2004-12-05 15:24:08.000000000 +0100 @@ -155,9 +155,27 @@ linux_setcaps(unsigned int caps) { } } +static unsigned int +linux_getcaps(void) { + struct __user_cap_header_struct caphead; + struct __user_cap_data_struct cap; + char strbuf[ISC_STRERRORSIZE]; + + memset(&caphead, 0, sizeof(caphead)); + caphead.version = _LINUX_CAPABILITY_VERSION; + caphead.pid = 0; + memset(&cap, 0, sizeof(cap)); + if (syscall(SYS_capget, &caphead, &cap) < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlyfatal("capget failed: %s", strbuf); + } + + return cap.permitted; +} + static void linux_initialprivs(void) { - unsigned int caps; + unsigned int caps, current; /* * We don't need most privileges, so we drop them right away. @@ -166,6 +184,7 @@ linux_initialprivs(void) { */ caps = 0; + current = linux_getcaps(); /* * We need to be able to bind() to privileged ports, notably port 53! @@ -205,14 +224,15 @@ linux_initialprivs(void) { * of files, the stack size, data size, and core dump size to * support named.conf options, this is now being added to test. */ - caps |= (1 << CAP_SYS_RESOURCE); + if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE)) + caps |= (1 << CAP_SYS_RESOURCE); linux_setcaps(caps); } static void linux_minprivs(void) { - unsigned int caps; + unsigned int caps, current; /* * Drop all privileges except the ability to bind() to privileged @@ -223,6 +243,7 @@ linux_minprivs(void) { */ caps = 0; + current = linux_getcaps(); caps |= (1 << CAP_NET_BIND_SERVICE); /* @@ -232,7 +253,8 @@ linux_minprivs(void) { * of files, the stack size, data size, and core dump size to * support named.conf options, this is now being added to test. */ - caps |= (1 << CAP_SYS_RESOURCE); + if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE)) + caps |= (1 << CAP_SYS_RESOURCE); linux_setcaps(caps); } -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
