NetBSD Problem Report #53652
From taca@a.back-street.net Sat Oct 6 16:10:57 2018
Return-Path: <taca@a.back-street.net>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id EBA937A180
for <gnats-bugs@gnats.NetBSD.org>; Sat, 6 Oct 2018 16:10:56 +0000 (UTC)
Message-Id: <20181006161050.11FB9105742@currnet.a.back-street.net>
Date: Sun, 7 Oct 2018 01:10:49 +0900 (JST)
From: taca@back-street.net
Reply-To: taca@back-street.net
To: gnats-bugs@NetBSD.org
Subject: Change permission of namedb directory
X-Send-Pr-Version: 3.95
>Number: 53652
>Category: bin
>Synopsis: Change permisiion of namedb directory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Oct 06 16:15:00 +0000 2018
>Last-Modified: Sun Oct 14 12:45:00 +0000 2018
>Originator: Takahiro Kambe
>Release: NetBSD 8.99.25
>Organization:
>Environment:
System: NetBSD currnet.a.back-street.net 8.99.25 NetBSD 8.99.25 (VMWARE-F10) #1: Mon Oct 1 01:14:33 JST 2018 taca@currnet.a.back-street.net:/data/amd64/obj/sys/arch/amd64/compile/VMWARE-F10 amd64
Architecture: x86_64
Machine: amd64
>Description:
Recent BIND assume current directory which is specified by
"directory" statement in "options" section is writable by
named process. Especially, when "named_chrootdir" is set to
"/var/chroot/named" in /etc/rc.conf:
* Checking for KSK roleover, "rndc secroots" would fail by
trying to write to /var/chroot/named/etc/namedb directory
with "named" user.
* BIND 9.11 and later from pkgsrc, named dose not start checking
to writable to /var/chroot/named/etc/namedb directory.
>How-To-Repeat:
Install pkgsrc/net/bind911 and start it from /etc/rc.d/named9.
>Fix:
Possible fix with allowing to write by group permission.
1. Adding /var/chroot/named/etc/namedb/nta to /etc/mtree/special
2. Remove extra type=dir ?
diff --git a/etc/mtree/NetBSD.dist.base b/etc/mtree/NetBSD.dist.base
index 3a488bacfc..cb40dd1518 100644
--- a/etc/mtree/NetBSD.dist.base
+++ b/etc/mtree/NetBSD.dist.base
@@ -37,7 +37,7 @@
./etc/kyua
./etc/mail
./etc/mtree
-./etc/namedb
+./etc/namedb mode=0775 gname=named
./etc/nsd
./etc/openldap
./etc/openssl
@@ -1259,10 +1259,10 @@
./var/chroot/named
./var/chroot/named/dev
./var/chroot/named/etc
-./var/chroot/named/etc/namedb
-./var/chroot/named/etc/namedb/cache mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/keys type=dir mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/nta type=dir mode=0775 uname=named gname=named
+./var/chroot/named/etc/namedb mode=0775 gname=named
+./var/chroot/named/etc/namedb/cache mode=0775 gname=named
+./var/chroot/named/etc/namedb/keys mode=0775 gname=named
+./var/chroot/named/etc/namedb/nta mode=0775 gname=named
./var/chroot/named/usr
./var/chroot/named/usr/libexec
./var/chroot/named/var
diff --git a/etc/mtree/special b/etc/mtree/special
index e38be7ceab..cb576692ad 100644
--- a/etc/mtree/special
+++ b/etc/mtree/special
@@ -123,7 +123,7 @@
./etc/mygate6 type=file mode=0644 optional
./etc/myname type=file mode=0644 optional
./etc/named.conf type=file mode=0644 optional
-./etc/namedb type=dir mode=0755
+./etc/namedb type=dir mode=0775 gname=named
./etc/netconfig type=file mode=0644
./etc/netgroup type=file mode=0644 optional
./etc/netstart.local type=file mode=0644 optional
@@ -400,9 +400,10 @@
./var/chroot/named type=dir mode=0755
./var/chroot/named/dev type=dir mode=0755
./var/chroot/named/etc type=dir mode=0755
-./var/chroot/named/etc/namedb type=dir mode=0755
-./var/chroot/named/etc/namedb/cache type=dir mode=0775 uname=named gname=named
-./var/chroot/named/etc/namedb/keys type=dir mode=0775 uname=named gname=named
+./var/chroot/named/etc/namedb type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/cache type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/keys type=dir mode=0775 gname=named
+./var/chroot/named/etc/namedb/nta type=dir mode=0775 gname=named
./var/chroot/named/usr type=dir mode=0755
./var/chroot/named/usr/libexec type=dir mode=0755
./var/chroot/named/var type=dir mode=0755
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/53652: Change permission of namedb directory
Date: Sat, 6 Oct 2018 14:07:31 -0400
On Oct 6, 4:15pm, taca@back-street.net (taca@back-street.net) wrote:
-- Subject: bin/53652: Change permission of namedb directory
| >Number: 53652
| >Category: bin
| >Synopsis: Change permisiion of namedb directory
| >Confidential: no
| >Severity: serious
| >Priority: medium
| >Responsible: bin-bug-people
| >State: open
| >Class: change-request
| >Submitter-Id: net
| >Arrival-Date: Sat Oct 06 16:15:00 +0000 2018
| >Originator: Takahiro Kambe
| >Release: NetBSD 8.99.25
| >Organization:
|
| >Environment:
This is not a good idea. NetBSD-current comes with bind-9.12 and
a local fix which avoids this issue.
RCS file: /cvsroot/src/external/mpl/bind/dist/lib/dns/view.c,v
revision 1.3
date: 2018-09-12 11:28:42 -0400; author: christos; state: Exp; lines: +2 -2; commitid: adpcledHWXK8qPRA;
Put the nta files in a subdirectory instead of requiring the namedb root
directory to be writable by named... Others have expressed the same concern,
but upstream refused: https://bugzilla.redhat.com/show_bug.cgi?id=1487823
https://bugs.isc.org/Public/Bug/Display.html?id=46242
Doesn't this work for you?
christos
From: Takahiro Kambe <taca@back-street.net>
To: christos@zoulas.com
Cc: gnats-bugs@NetBSD.org, taca@back-street.net
Subject: Re: bin/53652: Change permission of namedb directory
Date: Tue, 09 Oct 2018 15:25:53 +0900 (JST)
In message <20181006181001.839577A1FB@mollari.NetBSD.org>
on Sat, 6 Oct 2018 18:10:01 +0000 (UTC),
christos@zoulas.com (Christos Zoulas) wrote:
> This is not a good idea. NetBSD-current comes with bind-9.12 and
> a local fix which avoids this issue.
I think so, too.
> RCS file: /cvsroot/src/external/mpl/bind/dist/lib/dns/view.c,v
> revision 1.3
> date: 2018-09-12 11:28:42 -0400; author: christos; state: Exp; lines: +2 -2; commitid: adpcledHWXK8qPRA;
> Put the nta files in a subdirectory instead of requiring the namedb root
> directory to be writable by named... Others have expressed the same concern,
> but upstream refused: https://bugzilla.redhat.com/show_bug.cgi?id=1487823
> https://bugs.isc.org/Public/Bug/Display.html?id=46242
Note: ISC refused to accept this change as above.
> Doesn't this work for you?
It dose not completly with default configuration on NetBSD current
8.99.25:
# echo 'named_chrootdir="/var/chroot/named"' >> /etc/rc.conf
# sh /etc/rc.d/named onestart
Starting named.
# sh /etc/rc.d/named onestatus
named is running as pid 1140.
# /usr/sbin/rndc secroots
rndc: 'secroots' failed: permission denied
could not open named.secroots
So, it is required changing permission of "directory" or providing
proper default value for these statements: "secroots-file",
"recursing-file" and so on.
--
Takahiro Kambe <taca@back-street.net>
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/53652: Change permission of namedb directory
Date: Wed, 10 Oct 2018 11:12:17 -0400
On Oct 6, 4:15pm, taca@back-street.net (taca@back-street.net) wrote:
-- Subject: bin/53652: Change permission of namedb directory
Yes, the secroots issue correct; as well as:
dump-file
The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db.
memstatistics-file
The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats.
recursing-file
The pathname of the file the server dumps the queries that are currently recursing when instructed to do so with rndc recursing. If not specified, the default is named.recursing.
statistics-file
The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described in the section called "The Statistics File".
secroots-file
The pathname of the file the server dumps security roots to when instructed to do so with rndc secroots. If not specified, the default is named.secroots.
So I guess we can either revert the "nta" file change and make /etc/namedb
writable by the daemon, or we can double down and create a "stats" or "status"
or "logs" directory in /etc/named and default all of those files to go there.
It sounds neater to do that, but it is not desirable from a compatibility POV.
I think we should go with the first option (revert/make writable). Opinions?
christos
From: John Nemeth <jnemeth@cue.bc.ca>
To: christos@zoulas.com (Christos Zoulas), gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/53652: Change permission of namedb directory
Date: Wed, 10 Oct 2018 21:04:32 -0700
On Oct 10, 11:12am, Christos Zoulas wrote:
} On Oct 6, 4:15pm, taca@back-street.net (taca@back-street.net) wrote:
}
} Yes, the secroots issue correct; as well as:
}
} dump-file
} The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db.
}
} memstatistics-file
} The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats.
}
} recursing-file
} The pathname of the file the server dumps the queries that are currently recursing when instructed to do so with rndc recursing. If not specified, the default is named.recursing.
}
} statistics-file
} The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described in the section called "The Statistics File".
}
} secroots-file
} The pathname of the file the server dumps security roots to when instructed to do so with rndc secroots. If not specified, the default is named.secroots.
}
} So I guess we can either revert the "nta" file change and make /etc/namedb
} writable by the daemon, or we can double down and create a "stats" or "status"
} or "logs" directory in /etc/named and default all of those files to go there.
} It sounds neater to do that, but it is not desirable from a compatibility POV.
}
} I think we should go with the first option (revert/make writable). Opinions?
I seriously think we should go with the second option. Having
/etc/namedb writable by daemon of a master server leaves it open
to complete corruption of the zone files and possibly configuration
files if there is a compromise of the server. I recognise that
this may be a nuisance on a server that mainly server slave zones
since it means that you can't just add a zone to the config file.
This kinda leads to the idea that it should be an option.
}-- End of excerpt from Christos Zoulas
From: Takahiro Kambe <taca@back-street.net>
To: gnats-bugs@NetBSD.org
Cc: jnemeth@cue.bc.ca, taca@back-street.net
Subject: Re: bin/53652: Change permission of namedb directory
Date: Sun, 14 Oct 2018 21:43:41 +0900 (JST)
In message <20181011042001.B35D77A270@mollari.NetBSD.org>
on Thu, 11 Oct 2018 04:20:01 +0000 (UTC),
John Nemeth <jnemeth@cue.bc.ca> wrote:
> } I think we should go with the first option (revert/make writable). Opinions?
>
> I seriously think we should go with the second option. Having
> /etc/namedb writable by daemon of a master server leaves it open
> to complete corruption of the zone files and possibly configuration
> files if there is a compromise of the server. I recognise that
> this may be a nuisance on a server that mainly server slave zones
> since it means that you can't just add a zone to the config file.
> This kinda leads to the idea that it should be an option.
I agree with you.
* As like "nta" directory, introduce a directory to named write to
default.
* Define name of the statement define the directory; "work-dir" or
"data-dir".
* Change code of named to write under the directory.
--
Takahiro Kambe <taca@back-street.net>
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.