[Bug 859298] New: dnsmasq launch as daemon fails (in or out of systemctl) status=3/NOTIMPLEMENTED
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c0 Summary: dnsmasq launch as daemon fails (in or out of systemctl) status=3/NOTIMPLEMENTED Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: david.bahi@emc.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11
bang-tan:~ # systemctl status dnsmasq dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled) Drop-In: /run/systemd/generator/dnsmasq.service.d \u2514\u250050-insserv.conf-$named.conf Active: failed (Result: exit-code) since Fri 2014-01-17 18:21:55 EST; 7min ago Process: 2776 ExecStart=/usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground (code=exited, status=3) Process: 2754 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 2776 (code=exited, status=3) CGroup: /system.slice/dnsmasq.service
Jan 17 18:21:55 bang-tan systemd[1]: Starting DNS caching server.... Jan 17 18:21:55 bang-tan dnsmasq[2754]: dnsmasq: syntax check OK. Jan 17 18:21:55 bang-tan dnsmasq[2776]: TFTP directory /srv/tftpboot inaccessible: Permission denied Jan 17 18:21:55 bang-tan systemd[1]: dnsmasq.service: main process exited, code=exited, status=3/NOTIMPLEMENTED Jan 17 18:21:55 bang-tan systemd[1]: Failed to start DNS caching server.. Jan 17 18:21:55 bang-tan systemd[1]: Unit dnsmasq.service entered failed state.
or on the command line try it - fails the same way
bang-tan:~ # /usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground bang-tan:~ # echo $? 3
but it works fine as long as it is not launched as a daemon
bang-tan:~ # /usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground -d & [1] 4193 bang-tan:~ # dnsmasq: started, version 2.65 cachesize 2000 dnsmasq: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack dnsmasq: DBus support enabled: connected to system bus dnsmasq: asynchronous logging enabled, queue limit is 5 messages dnsmasq-tftp: TFTP root is /srv/tftpboot dnsmasq: using local addresses only for domain sea.lab.emc.com dnsmasq: reading /etc/resolv.conf dnsmasq: using nameserver 128.221.12.10#53 dnsmasq: using nameserver 10.254.66.24#53 dnsmasq: ignoring nameserver 10.6.154.11 - local interface dnsmasq: using local addresses only for domain sea.lab.emc.com dnsmasq: read /etc/hosts - 9 addresses dnsmasq: read /etc/dnsmasq.hosts/wadet2_hosts - 21 addresses dnsmasq: read /etc/dnsmasq.hosts/hosts_from_ldap - 417 addresses ...
Reproducible: Always Steps to Reproduce: 1. zypper dup from 12.2 to 12.3 (it fails in 12.3 the same way) 2. then zypper dup from 12.3 to 13.1 (so we're current and all) 3. then notice dnsmasq still fails to launch as a daemon - scratch head - google - write bug Actual Results: tail of strace output of failure
... capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = 0 prctl(PR_SET_KEEPCAPS, 1) = 0 setuid(105) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0 openat(AT_FDCWD, "/srv/tftpboot", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied) open("/usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-langpack/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-langpack/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-langpack/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale-bundle/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "\n", 1) = 1 write(2, "dnsmasq: ", 9) = 9 write(2, "TFTP directory /srv/tftpboot ina"..., 60) = 60 write(2, "\n", 1) = 1 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 fstat(14, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc343f10000 read(14, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 3519 lseek(14, -2252, SEEK_CUR) = 1267 read(14, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 2252 close(14) = 0 munmap(0x7fc343f10000, 4096) = 0 write(13, "<26>Jan 17 18:32:11 dnsmasq[4278"..., 95) = -1 ENOTCONN (Transport endpoint is not connected) connect(13, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = 0 write(13, "<26>Jan 17 18:32:11 dnsmasq[4278"..., 95) = 95 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 write(13, "<26>Jan 17 18:32:11 dnsmasq[4278"..., 53) = 53 close(13) = 0 exit_group(3) = ? +++ exited with 3 +++
Expected Results: seems when daemonized it may be using another uid that doesn't have permission to read /srv/tftpboot (tftp service is handled by dnsmasq in our config) perms on /srv/tftpboot default to 0750 i think - at least that's what we have... thanks for looking into this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c Xiyuan Liu <xyliu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |max@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c1 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |coolo@suse.com, | |crrodriguez@opensuse.org, | |meissner@suse.com, | |rmilasan@suse.com, | |toganm@dinamizm.com, | |vuntz@suse.com --- Comment #1 from Reinhard Max <max@suse.com> 2014-02-11 12:02:43 CET --- CC-ing all recent contributers to the dnsmasq package. Can any of you tell me whether this dropping of supplementary groups is really needed, or if we can patch it out in order to get tftp to work? The dnsmasq user is configured with tftp as a supplementary group, but dnsmasq explicitly drops all supplementary groups before switching to the dnsmasq user in daemon mode. The code for this was introduced in version 2002 as part of a bug fix, but it doesn't look to me like it was really needed to fix the problem at hand: --- snip (CHANGELOG.archive) --- release 1.7 Fix a problem with cache not clearing properly on receipt of SIGHUP. Bug spotted by Sat Deshpande. In group-id changing code: 1) Drop supplimentary groups. 2) Change gid before dropping root (patch from Soewono Effendi.) 3) Change group to "dip" if it exists, to allow access to /etc/ppp/resolv.conf (suggestion from Jorg Sommer.) --- snap --- David, as a workaround you can change the group of /srv/tftpboot to dnsmasq. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c2 --- Comment #2 from David Bahi <david.bahi@emc.com> 2014-02-21 14:21:30 UTC --- thanks for looking into this and suggesting the work-around - will definitely use it for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c3 --- Comment #3 from David Bahi <david.bahi@emc.com> 2014-02-21 14:24:29 UTC --- nuts. # chgrp dnsmasq /srv/tftpboot chgrp: invalid group: dnsmasq # grep dns /etc/group tftp:!:105:dnsmasq,tftp -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c4 --- Comment #4 from Reinhard Max <max@suse.com> 2014-02-21 15:34:38 CET --- Sorry, I mixed things up. There is no dnsmasq group and the dnsmasq user's primary group is "nogroup", which I think shouldn't be used for any files or directories. But making /srv/tftpboot owned by the dnsmasq user or making it world readable will do the trick. I see no security implications by making it world readable, because when the tftp server is running the world can read it anyway. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c5 --- Comment #5 from David Bahi <david.bahi@emc.com> 2014-02-21 14:43:09 UTC --- work around is now good - owner now dnsmasq (for the extra hosts dir too) and all is well Feb 21 09:41:20 bang-tan dnsmasq[119590]: cannot access directory /etc/dnsmasq.hosts: Permission denied bang-tan:/export/isos/hwqual # chown dnsmasq /etc/dnsmasq.hosts bang-tan:/export/isos/hwqual # service dnsmasq restart bang-tan:/export/isos/hwqual # service dnsmasq status dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled) Drop-In: /run/systemd/generator/dnsmasq.service.d `-50-insserv.conf-$named.conf Active: active (running) since Fri 2014-02-21 09:41:49 EST; 3s ago Process: 119616 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 119619 (dnsmasq) CGroup: /system.slice/dnsmasq.service `-119619 /usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground Feb 21 09:41:49 bang-tan dnsmasq[119619]: using local addresses only for domain sea.lab.emc.com Feb 21 09:41:49 bang-tan dnsmasq[119619]: reading /etc/resolv.conf Feb 21 09:41:49 bang-tan dnsmasq[119619]: using nameserver 128.221.12.10#53 Feb 21 09:41:49 bang-tan dnsmasq[119619]: using nameserver 10.254.66.24#53 Feb 21 09:41:49 bang-tan dnsmasq[119619]: ignoring nameserver 10.6.154.11 - local interface Feb 21 09:41:49 bang-tan dnsmasq[119619]: using local addresses only for domain sea.lab.emc.com Feb 21 09:41:49 bang-tan dnsmasq[119619]: read /etc/hosts - 9 addresses Feb 21 09:41:49 bang-tan dnsmasq[119619]: read /etc/dnsmasq.hosts/wadet2_hosts - 21 addresses Feb 21 09:41:49 bang-tan dnsmasq[119619]: read /etc/dnsmasq.hosts/hosts_from_ldap - 434 addresses Feb 21 09:41:49 bang-tan dnsmasq[119619]: read /etc/dnsmasq.hosts/bahid-office-pcs - 1 addresses -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c6 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |vwallfahrer@suse.com InfoProvider| |meissner@suse.com --- Comment #6 from Reinhard Max <max@suse.com> 2014-08-06 16:01:34 CEST --- Marcus, can you help here to find out which solution is better from a security perspective? * Change dnsmasq to not drop supplementary groups as outlined in comment #1. * Drop the supplementary group from the dnsmasq package and make /srv/tftpboot world readable (0755). What's the point of the current 750 setting anyway? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c8 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|meissner@suse.com | --- Comment #8 from Marcus Meissner <meissner@suse.com> 2014-08-27 14:25:55 UTC --- I think the reason it might not be worldreadable is that it might also contains client configuration information like plaintext credentials. I would try and make it keep the tftp group, or let it run with the tftp group by default (and skip "nogroup"?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c9 --- Comment #9 from Reinhard Max <max@suse.com> 2014-08-27 16:45:10 CEST --- (In reply to comment #8)
I think the reason it might not be worldreadable is that it might also contains client configuration information like plaintext credentials.
Well, but the files in the tftp directory are world readable through TFTP anyway. The other tftp server implementation that we ship (from the tftp package) even refuses to serve files that don't have the o+r bit set. See the SECURITY section in tftpd(8).
I would try and make it keep the tftp group, [...]
Patching out the dropping of supplementary groups should be easy enough. But I still wonder why that "feature" was added at first place, given that OS vendors and sysadmins usually add supplementary groups to a system user for a reason. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c10 --- Comment #10 from Marcus Meissner <meissner@suse.com> 2014-08-27 14:53:26 UTC --- The only protection would be against users on the machine that cannot sniff the network... althbough they could probably also do tftp to localhost. that said I think we can make it 755. (adjust both tftp and dnsmasq as they share the directory). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c11 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrueckert@suse.com --- Comment #11 from Marcus Rückert <mrueckert@suse.com> 2014-08-27 15:22:17 UTC --- 1. i think the usage of nobody/nogroup needs to be fixed in any case. 2. we also still have atftp. so if you change anything test there aswell. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c12 --- Comment #12 from Marcus Rückert <mrueckert@suse.com> 2014-08-27 15:25:59 UTC --- Marcus and correct me if i am wrong: while you could retrieve files if you know the path. but tftp has no dirlisting. so you couldnt get the files where you dont know the path. so this would still be a valuable protection. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c13 --- Comment #13 from Reinhard Max <max@suse.com> 2014-08-27 17:34:56 CEST --- That's right, but OTOH the files served via TFTP often have names that are well known or at least predictable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c14 --- Comment #14 from Marcus Rückert <mrueckert@suse.com> 2014-08-28 11:13:40 UTC --- still no excuse to make it full public -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=859298 https://bugzilla.novell.com/show_bug.cgi?id=859298#c15 --- Comment #15 from Reinhard Max <max@suse.com> 2014-08-28 15:24:21 CEST --- Looking at the source again, I realized that dnsmasq doesn't actually drop the dnsmasq user's supplementary groups. The group dropping happens before the user switch, so only the calling processes (i.e. root's) supplementary groups (if any) get dropped. Subsequently dnsmasq misses to initialize the supplementary groups of the target user before switching to it. I'll change the setgroups() call into an initgroups() call, so that any existing supplementary groups get replaced by the ones the new user is member of. While being there, shall I also change the dnsmasq user from nogroup to a newly created dnsmasq group? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=859298 --- Comment #16 from Novell Build <novell-provo-build@forge.provo.novell.com> --- This fix is in the Novell Plan9 Virtual Appliance build 137. Source repository: lego revision: 2305. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=859298 http://bugzilla.novell.com/show_bug.cgi?id=859298#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (859298) was mentioned in https://build.opensuse.org/request/show/404054 Factory / dnsmasq -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com