BIND 9.4.x vs 9.6.x - pid-file check and creation
Jan Arild Lindstrøm
jal at telenor.net
Mon Jan 26 10:03:29 UTC 2009
At 10:29 26/01/2009, Mark Andrews wrote:
>In message <200901260800.n0Q80lkH017744 at mail49.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>>
>> Hi,
>>
>> just to clarify that Solaris really is different from Linux:
>>
>> ns12(root) / 503# su - named
>> Sun Microsystems Inc. SunOS 5.10 Generic January 2005
>> -bash-3.00$ ls -la /var/run/named/
>> total 80
>> drwxr-s--- 4 named named 307 Jan 26 08:22 .
>> drwxr-xr-x 7 root sys 1285 Jan 26 00:52 ..
>> -rw-r--r-- 1 named named 6 Jan 26 06:41 named.pid
>> -bash-3.00$ mkdir /var/run/named
>> mkdir: Failed to make directory "/var/run/named"; Permission denied
>>
>> dns-nms(root) ~ 1003# su - named
>> -bash-3.1$ uname -sr
>> Linux 2.6.18-53.1.13.el5
>> (reverse-i-search)`': =
>>
>> -bash-3.1$ ls -la /var/run/named/
>> total 20
>> drwxr-s--- 3 named named 4096 Jan 26 08:48 .
>> drwxr-sr-x 24 root root 4096 Jan 26 08:22 ..
>> -rw-r--r-- 1 named named 6 Jan 26 08:48 named.pid
>> -bash-3.1$ mkdir /var/run/named
>> mkdir: cannot create directory `/var/run/named': File exists
>>
>> That is, when the diretory exists and is fully writable on Solaris 10, you =
>> still get
>> "Permission denied", while you on Linux get "File exists". =
>>
>>
>> I'd say Solaris 10 first checks if the user have permissions to create the =
>> directory =
>>
>> before it checks if it exists.
>>
>> So I would say the code for creating the pid-file has been changed between =
>> 9.4.3 =
>>
>> and 9.6.0-P1, and that a bug has been introduced on Solaris.
>
> It was changed as part of this change.
>
>2486. [func] The default locations for named.pid and lwresd.pid
> are now /var/run/named/named.pid and
> /var/run/lwresd/lwresd.pid respectively.
>
> This allows the owner of the containing directory
> to be set, for "named -u" support, and allows there
> to be a permanent symbolic link in the path, for
> "named -t" support. [RT #18306]
We have always used /var/run/named and "-u named", so that is not the problem
here. The problem is just cheking for /var/run/named/ with mkdir does not return
the wanted result on Solaris.
Case:
Solaris 10
/var/run owned by root:sys
/var/run/named owned by named:named
su - named
mkdir /var/run/named
-> Permission denied, EACCESS
And not EEXISTS like on Linux.
Solaris seems to check the permissions first, and named have of course not permission
to create anything below /var/run. And /var/run/named allready exists and has the correct
owner and permissions (named:named).
>> Regards
>> Jan Arild Lindstr=F8m
>>
>>
>>
>> At 08:42 26/01/2009, Jan Arild Lindstr=F8m wrote:
>>
>> >Hi,
>> >
>> >I was going to upgrade from BIND 9.4.3 to BIND 9.6.0-P1, but run into a =
>>
>> >strange "bug" in BIND 9.6.0-P1.
>> >
>> >Exact same config for 9.4.3 and 9.6.0-P1, only added "new" to files that =
>>
>> >are written to (namednew.log, confignew.log and namednew.pid).
>> >
>> >OS: Solaris 10.
>> >
>> >Using:
>> > pid-file "/var/run/named/namednew.pid";
>> >
>> >.. result in the following:
>> >
>> >namednew.log:
>> >26-Jan-2009 08:14:22.723 general: couldn't mkdir /var/run/named/namednew.p=
>> id': Permission denied
>> >26-Jan-2009 08:14:22.728 general: exiting (due to early fatal error)
>> >
>> >BIND 9.6.0-P1 truss.out:
>> >--CUT--
>> >25123/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D 0
>> >25123/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D 9
>> >25123/65: fcntl(9, F_GETFL) =3D 8320
>> >25123/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D 0
>> >25123/65: setgid(21) =3D 0
>> >25123/65: setuid(21) =3D 0
>> >25123/65: access(".", W_OK) =3D 0
>> >25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> >25123/65: lseek(10, 0, SEEK_END) =3D 332
>> >25123/65: close(10) =3D 0
>> >25123/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, =
>> 0666) =3D 10
>> >25123/65: lseek(10, 0, SEEK_END) =3D 0
>> >25123/65: close(10) =3D 0
>> >25123/65: mkdir("/var/run/named", 0755) Err#13 EAC=
>> CES [ALL]
>> >25123/65: stat("/var/log/namednew.log", 0xFFFFFFFF79D0F3C0) =3D 0
>> >25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> >25123/65: lseek(10, 0, SEEK_END) =3D 332
>> >25123/65: fstat(10, 0xFFFFFFFF79D0E540) =3D 0
>> >25123/65: fstat(10, 0xFFFFFFFF79D0E410) =3D 0
>> >25123/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E47C) Err#25 ENO=
>> TTY
>> >25123/65: write(10, 0x10502E754, 97) =3D 97
>> >25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 3 g e n=
>> e r a l
>> >25123/65: : c o u l d n ' t m k d i r / v a r / r u n / n a=
>> m e d /
>> >25123/65: n a m e d n e w . p i d ' : P e r m i s s i o n d e=
>> n i e d
>> >25123/65: \n
>> >25123/65: write(10, 0x10502E754, 69) =3D 69
>> >25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 8 g e n=
>> e r a l
>> >25123/65: : e x i t i n g ( d u e t o e a r l y f a t a=
>> l e r
>> >25123/65: r o r )\n
>> >25123/65: _exit(1)
>> >
>> >It fails because it tries to just create the /var/run/named directory inst=
>> ead
>> >of cheking if the directory exist and if it can write to it. =
>>
>> >
>> >ns12(root) named 515# ls -la /var/run/named
>> >total 40
>> >drwxr-s--- 4 named named 307 Jan 26 06:51 ./
>> >drwxr-xr-x 7 root sys 1285 Jan 26 00:52 ../
>> >-rw-r--r-- 1 named named 6 Jan 26 06:41 named.pid
>> >
>> >So /var/run/named exists and is fully writable by user named.
>> >
>> >User "named" should of course not be able to crate diretories below
>> >"/var/run". Especially since many other things on Solaris 10 uses that
>> >directory also.
>> >
>> >
>> >If I use:
>> > pid-file "/var/run/named/named/namednew.pid";
>> >
>> >... everything works fine, since it now can run mkdir without getting "EAC=
>> CES". =
>>
>> >Instead it gets "EEXIST" and is OK with that.
>> >
>> >BIND 9.6.0-P1 truss.out:
>> >--CUT--
>> >25404/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D 0
>> >25404/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D 9
>> >25404/65: fcntl(9, F_GETFL) =3D 8320
>> >25404/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D 0
>> >25404/65: setgid(21) =3D 0
>> >25404/65: setuid(21) =3D 0
>> >25404/65: access(".", W_OK) =3D 0
>> >25404/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> >25404/65: lseek(10, 0, SEEK_END) =3D 498
>> >25404/65: close(10) =3D 0
>> >25404/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, =
>> 0666) =3D 10
>> >25404/65: lseek(10, 0, SEEK_END) =3D 0
>> >25404/65: close(10) =3D 0
>> >25404/65: mkdir("/var/run/named/named", 0755) Err#17 EEX=
>> IST
>> >25404/65: stat("/var/run/named/named/namednew.pid", 0xFFFFFFFF79D0F9=
>> 80) Err#2 ENOENT
>> >25404/65: unlink("/var/run/named/named/namednew.pid") Err#2 ENOE=
>> NT
>> >25404/65: open("/var/run/named/named/namednew.pid", O_WRONLY|O_CREAT=
>> |O_EXCL, 0644) =3D 10
>> >25404/65: fcntl(10, F_GETFD, 0x000001A4) =3D 0
>> >25404/65: getpid() =3D 25404 =
>> [25403]
>> >25404/65: fstat(10, 0xFFFFFFFF79D0E9D0) =3D 0
>> >25404/65: fstat(10, 0xFFFFFFFF79D0E8A0) =3D 0
>> >25404/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E90C) Err#25 ENO=
>> TTY
>> >25404/65: write(10, " 2 5 4 0 4\n", 6) =3D 6
>> >25404/65: close(10) =3D 0
>> >--CUT--
>> >
>> >
>> >Trussing 9.4.3 I see that it does it differently:
>> >
>> >--CUT--
>> >25730/10: access(".", W_OK) =3D 0
>> >25730/10: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT, 0=
>> 666) =3D 10
>> >25730/10: lseek(10, 0, SEEK_END) =3D 2625
>> >25730/10: close(10) =3D 0
>> >25730/10: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT, =
>> 0666) =3D 10
>> >25730/10: lseek(10, 0, SEEK_END) =3D 0
>> >25730/10: close(10) =3D 0
>> >25730/10: stat("/var/run/named/namednew.pid", 0xFFFFFFFF7D90F660) Er=
>> r#2 ENOENT
>> >25730/10: unlink("/var/run/named/namednew.pid") Err#2 ENOE=
>> NT
>> >25730/10: open("/var/run/named/namednew.pid", O_WRONLY|O_CREAT|O_EXC=
>> L, 0644) =3D 10
>> >25730/10: fcntl(10, F_GETFD, 0x000001A4) =3D 0
>> >25730/10: getpid() =3D 25730 =
>> [25729]
>> >25730/10: fstat(10, 0xFFFFFFFF7D90E6B0) =3D 0
>> >25730/10: fstat(10, 0xFFFFFFFF7D90E580) =3D 0
>> >25730/10: ioctl(10, TCGETA, 0xFFFFFFFF7D90E5EC) Err#25 ENO=
>> TTY
>> >25730/10: write(10, " 2 5 7 3 0\n", 6) =3D 6
>> >--CUT--
>> >
>> >
>> >It seems that someone has "shorted" the code to create and/or check the pi=
>> d-file.
>> >
>> >Maybe that "shortcut" will work on Linux, but it for sure does not work on=
>> Solaris 10.
>> >
>> >Having to use .../named/named/... in the pid-file option is of course poss=
>> ible, but I =
>>
>> >guess that it is not the way it is supposed to be...(?)...
>> >
>> >Help? Ideas?
>> >
>> >Regards
>> >Jan Arild Lindstr=F8m
>> >
>> >_______________________________________________
>> >bind-users mailing list
>> >bind-users at lists.isc.org
>> >https://lists.isc.org/mailman/listinfo/bind-users
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
Regards
Jan Arild Lindstrøm
More information about the bind-users
mailing list