BIND 9.4.x vs 9.6.x - pid-file check and creation
Jan Arild Lindstrøm
jal at telenor.net
Mon Jan 26 09:55:46 UTC 2009
At 09:33 26/01/2009, Mark Andrews wrote:
>In message <200901260742.n0Q7gJqN029792 at mail46.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>>
>> Hi,
>>
>> I was going to upgrade from BIND 9.4.3 to BIND 9.6.0-P1, but run into a =
>>
>> strange "bug" in BIND 9.6.0-P1.
>>
>> Exact same config for 9.4.3 and 9.6.0-P1, only added "new" to files that =
>>
>> are written to (namednew.log, confignew.log and namednew.pid).
>>
>> OS: Solaris 10.
>>
>> Using:
>> pid-file "/var/run/named/namednew.pid";
>>
>> .. result in the following:
>>
>> namednew.log:
>> 26-Jan-2009 08:14:22.723 general: couldn't mkdir /var/run/named/namednew.pi=
>> d': Permission denied
>> 26-Jan-2009 08:14:22.728 general: exiting (due to early fatal error)
>
> The log message should say couldn't mkdir /var/run/named.
> The wrong path is being logged.
>
> You either need to create /var/run/named with appropriate
> permissions so that named can write to it or change /var/run's
It does exists as you can see from the "ls" output I included. And "named" is
owner of it and hence have full permissions on it (/var/run/named/).
Problem is that Solaris returnes EACCESS and not EEXISTS. So just running mkdir
to check if a directory exists does not work on Solaris. One gets an EACCES and the
code fails.
> permissions so that named can create /var/run/named.
>
> Named will continue if mkdir(/var/run/named) returns EEXISTS.
Wich it will not on Solaris if you do not have the perm to create it, even though it
exists and you have full perm on it.
?
>
> Mark
>
> /*
> * Make the containing directory if it doesn't exist.
> */
> slash = strrchr(pidfile, '/');
> if (slash != NULL && slash != pidfile) {
> *slash = '\0';
> mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */
> mode |= S_IRGRP | S_IXGRP; /* g=rx */
> mode |= S_IROTH | S_IXOTH; /* o=rx */
> n = mkdir(pidfile, mode);
> if (n == -1 && errno != EEXIST) {
> isc__strerror(errno, strbuf, sizeof(strbuf));
> (*report)("couldn't mkdir %s': %s", filename,
> strbuf);
> free(pidfile);
> pidfile = NULL;
> return;
> }
> *slash = '/';
> }
>
>> BIND 9.6.0-P1 truss.out:
>> --CUT--
>> 25123/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D 0
>> 25123/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D 9
>> 25123/65: fcntl(9, F_GETFL) =3D 8320
>> 25123/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D 0
>> 25123/65: setgid(21) =3D 0
>> 25123/65: setuid(21) =3D 0
>> 25123/65: access(".", W_OK) =3D 0
>> 25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 06=
>> 66) =3D 10
>> 25123/65: lseek(10, 0, SEEK_END) =3D 332
>> 25123/65: close(10) =3D 0
>> 25123/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> 25123/65: lseek(10, 0, SEEK_END) =3D 0
>> 25123/65: close(10) =3D 0
>> 25123/65: mkdir("/var/run/named", 0755) Err#13 EACC=
>> ES [ALL]
>> 25123/65: stat("/var/log/namednew.log", 0xFFFFFFFF79D0F3C0) =3D 0
>> 25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 06=
>> 66) =3D 10
>> 25123/65: lseek(10, 0, SEEK_END) =3D 332
>> 25123/65: fstat(10, 0xFFFFFFFF79D0E540) =3D 0
>> 25123/65: fstat(10, 0xFFFFFFFF79D0E410) =3D 0
>> 25123/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E47C) Err#25 ENOT=
>> TY
>> 25123/65: write(10, 0x10502E754, 97) =3D 97
>> 25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 3 g e n =
>> e r a l
>> 25123/65: : c o u l d n ' t m k d i r / v a r / r u n / n a =
>> m e d /
>> 25123/65: n a m e d n e w . p i d ' : P e r m i s s i o n d e =
>> n i e d
>> 25123/65: \n
>> 25123/65: write(10, 0x10502E754, 69) =3D 69
>> 25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 8 g e n =
>> e r a l
>> 25123/65: : e x i t i n g ( d u e t o e a r l y f a t a =
>> l e r
>> 25123/65: r o r )\n
>> 25123/65: _exit(1)
>>
>> It fails because it tries to just create the /var/run/named directory inste=
>> ad
>> of cheking if the directory exist and if it can write to it. =
>>
>>
>> ns12(root) named 515# ls -la /var/run/named
>> total 40
>> drwxr-s--- 4 named named 307 Jan 26 06:51 ./
>> drwxr-xr-x 7 root sys 1285 Jan 26 00:52 ../
>> -rw-r--r-- 1 named named 6 Jan 26 06:41 named.pid
>>
>> So /var/run/named exists and is fully writable by user named.
>>
>> User "named" should of course not be able to crate diretories below
>> "/var/run". Especially since many other things on Solaris 10 uses that
>> directory also.
>>
>>
>> If I use:
>> pid-file "/var/run/named/named/namednew.pid";
>>
>> ... everything works fine, since it now can run mkdir without getting "EACC=
>> ES". =
>>
>> Instead it gets "EEXIST" and is OK with that.
>>
>> BIND 9.6.0-P1 truss.out:
>> --CUT--
>> 25404/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D 0
>> 25404/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D 9
>> 25404/65: fcntl(9, F_GETFL) =3D 8320
>> 25404/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D 0
>> 25404/65: setgid(21) =3D 0
>> 25404/65: setuid(21) =3D 0
>> 25404/65: access(".", W_OK) =3D 0
>> 25404/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 06=
>> 66) =3D 10
>> 25404/65: lseek(10, 0, SEEK_END) =3D 498
>> 25404/65: close(10) =3D 0
>> 25404/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> 25404/65: lseek(10, 0, SEEK_END) =3D 0
>> 25404/65: close(10) =3D 0
>> 25404/65: mkdir("/var/run/named/named", 0755) Err#17 EEXI=
>> ST
>> 25404/65: stat("/var/run/named/named/namednew.pid", 0xFFFFFFFF79D0F98=
>> 0) Err#2 ENOENT
>> 25404/65: unlink("/var/run/named/named/namednew.pid") Err#2 ENOENT
>> 25404/65: open("/var/run/named/named/namednew.pid", O_WRONLY|O_CREAT|=
>> O_EXCL, 0644) =3D 10
>> 25404/65: fcntl(10, F_GETFD, 0x000001A4) =3D 0
>> 25404/65: getpid() =3D 25404 [=
>> 25403]
>> 25404/65: fstat(10, 0xFFFFFFFF79D0E9D0) =3D 0
>> 25404/65: fstat(10, 0xFFFFFFFF79D0E8A0) =3D 0
>> 25404/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E90C) Err#25 ENOT=
>> TY
>> 25404/65: write(10, " 2 5 4 0 4\n", 6) =3D 6
>> 25404/65: close(10) =3D 0
>> --CUT--
>>
>>
>> Trussing 9.4.3 I see that it does it differently:
>>
>> --CUT--
>> 25730/10: access(".", W_OK) =3D 0
>> 25730/10: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 06=
>> 66) =3D 10
>> 25730/10: lseek(10, 0, SEEK_END) =3D 2625
>> 25730/10: close(10) =3D 0
>> 25730/10: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> 25730/10: lseek(10, 0, SEEK_END) =3D 0
>> 25730/10: close(10) =3D 0
>> 25730/10: stat("/var/run/named/namednew.pid", 0xFFFFFFFF7D90F660) Err=
>> #2 ENOENT
>> 25730/10: unlink("/var/run/named/namednew.pid") Err#2 ENOENT
>> 25730/10: open("/var/run/named/namednew.pid", O_WRONLY|O_CREAT|O_EXCL=
>> , 0644) =3D 10
>> 25730/10: fcntl(10, F_GETFD, 0x000001A4) =3D 0
>> 25730/10: getpid() =3D 25730 [=
>> 25729]
>> 25730/10: fstat(10, 0xFFFFFFFF7D90E6B0) =3D 0
>> 25730/10: fstat(10, 0xFFFFFFFF7D90E580) =3D 0
>> 25730/10: ioctl(10, TCGETA, 0xFFFFFFFF7D90E5EC) Err#25 ENOT=
>> TY
>> 25730/10: write(10, " 2 5 7 3 0\n", 6) =3D 6
>> --CUT--
>>
>>
>> It seems that someone has "shorted" the code to create and/or check the pid=
>> -file.
>>
>> Maybe that "shortcut" will work on Linux, but it for sure does not work on =
>> Solaris 10.
>>
>> Having to use .../named/named/... in the pid-file option is of course possi=
>> ble, but I =
>>
>> guess that it is not the way it is supposed to be...(?)...
>>
>> Help? Ideas?
>>
>> Regards
>> Jan Arild Lindstr=F8m
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
Regards
Jan Arild Lindstrøm
More information about the bind-users
mailing list