[Bug 738156] New: bind fails to start if switched to non chroot setup
https://bugzilla.novell.com/show_bug.cgi?id=738156 https://bugzilla.novell.com/show_bug.cgi?id=738156#c0 Summary: bind fails to start if switched to non chroot setup Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Network AssignedTo: ug@suse.com ReportedBy: lmuelle@suse.com QAContact: qa@suse.de CC: lmuelle@suse.com, lynn@steve-ss.com Found By: Community User Blocker: No If NAMED_RUN_CHROOTED is set to "no" in /etc/sysconfig/named the sym link /var/run/named points to itself. Instead we have to create a directory owned by named:named. Please test home:lmuelle:branches:server:dns/bind. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c1
--- Comment #1 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c2
--- Comment #2 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c3
--- Comment #3 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c4
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c5
--- Comment #5 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c6
--- Comment #6 from lynn wilson
http://download.opensuse.org/repositories/home:/lmuelle:/branches:/server:/d... is the download location for several openSUSE and SUSE Linux Enterprise products.
Need to add a suffix here no? e.g. http://download.opensuse.org/repositories/home:/lmuelle:/branches:/server:/d... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c7
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c8
--- Comment #8 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c9
--- Comment #9 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c10
--- Comment #10 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c11
--- Comment #11 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c12
--- Comment #12 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c13
--- Comment #13 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c14
--- Comment #14 from lynn wilson
No, No the packages from comment #3 don't produce this error. Cause the permissions of /var/lib/named/ and below have not been changed. You can prove this from the history of the repository. I've also tested these packages. Also rpm -V might be of help.
No bug got introduced. You're not reading how to handle dynamic zone files. Or you don't understand the general permission principle to only grant those permissions which are needed.
See comment 10. Fix your dynamic zone definitions and use /var/lib/named/dyn/ to let named store and handle the information from there.
And this also has nothing to do with a Microsoft Windows network.
mmm Ironically, this bug came to light _because_ of a windows network. Were it not been for Samba 4, we would still be stuck in the bind-for-webservers era.
If there is something broken by this minimal change set please point us to the location where is is broken.
The permissions of /var/lib/named/ and any directory or file below are unmodified.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c15
--- Comment #15 from lynn wilson
a) The chroot default is a reasonable and more secure approach.
b) Changing the default by _no_ reason is bad. Cause you're not able to configure Samba4 in the way it's able to work with a chrooted bind setup is no argument to modify a reasonable and working approach. Up to now no user complained about the chroot approach.
Up to now bind was used to resolve names in Internet, rather than as a vital element in authenticating against a microsoft domain. Lars, you yourself have commented on the not too healthy state of the chroot script. Those of us who take the time to test software should be rewarded with an easy to configure default setup. Developers should therefore be aware that not all users will use production versions of software which need dns in a jail. By all means provide it but make life easy for us testers.
c) /var/lib/named owned by named: is wrong. This gives the named process more rights than needed.
Please read comment #8 again before you make a statement again which sounds as you've not read what I explained in comment #8.
I've used dynamic updates with BIND and these settings over many years. What comment#8 doesn't state direct or verbose is:
Your zone definitions in named.conf have to reference /var/lib/named/dyn/ as location to store the particular dynamic zone file. But for a person willing and able to handle BIND this must have been clear after what got written in comment #8.
If you still believe something is wrong with the default permissions of the directory created by the bind package please file a separate bug report.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c16
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c17
--- Comment #17 from lynn wilson
Samba4 and DNS is still in alpha state. If you're not an experienced user stay away from it and don't try to blame openSUSE and BIND for issues which are very likely caused by your misunderstanding.
DNS is a generic protocol. BIND implements this and is also know as the reference implementation.
Check the Samba wiki at https://wiki.samba.org/index.php/Samba4/HOWTO#Instructions_for_bind9_9.8.0_o... for the details. And what a surprise even there only the actual dns.keytab file is owned by the user named.
All a user has to achieve able is to use the vendors BIND default locations of files instead of trying to use /usr/local/samba/ as used in the Samba wiki. Even might require advanced skills which an average user might not have.
Please consider others. You risk losing valuable alpha testers.
bind in the current state from my home repository got tested chrooted and non chrooted and even switching between both setups work again as intended.
The only case not covered and not trivial to fix is when named is running and a user modifies the value of /etc/sysconfig/named:NAMED_RUN_CHROOTED As the header of this setting has a '## ServiceRestart: lwresd,named' line it's clear to YaST and a skilled user that a restart of the service is required.
@Björn: Please be this nice and test the current code and report back if it works for you. If that's the case I'll start the update work flow to get the fixed package published.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c18
--- Comment #18 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c19
--- Comment #19 from Bjoern Jacke
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c20
Bjoern Jacke
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c21
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c22
--- Comment #22 from Bjoern Jacke
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c
Bjoern Jacke
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c23
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c24
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c25
--- Comment #25 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c26
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c27
--- Comment #27 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c28
--- Comment #28 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c29
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c30
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=738156
https://bugzilla.novell.com/show_bug.cgi?id=738156#c31
--- Comment #31 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com