BIND 9.4.x vs 9.6.x - pid-file check and creation
Jan Arild Lindstrøm
jal at telenor.net
Tue Jan 27 06:37:36 UTC 2009
At 22:41 26/01/2009, Mark Andrews wrote:
>In message <200901260955.n0Q9tnVm010781 at mail43.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>> At 09:33 26/01/2009, Mark Andrews wrote:
>>
>> >In message <200901260742.n0Q7gJqN029792 at mail46.nsc.no>, Jan Arild=
>> =3D?iso-8859-1?
>> >Q?Lindstr=3DF8m?=3D writes:
>> >>=20
>> >> Hi,
>> >>=20
>> >> I was going to upgrade from BIND 9.4.3 to BIND 9.6.0-P1, but run into a =
>> =3D
>> >>=20
>> >> strange "bug" in BIND 9.6.0-P1.
>> >>=20
>> >> Exact same config for 9.4.3 and 9.6.0-P1, only added "new" to files that=
>> =3D
>> >>=20
>> >> are written to (namednew.log, confignew.log and namednew.pid).
>> >>=20
>> >> OS: Solaris 10.
>> >>=20
>> >> Using:
>> >> pid-file "/var/run/named/namednew.pid";
>> >>=20
>> >> .. result in the following:
>> >>=20
>> >> namednew.log:
>> >> 26-Jan-2009 08:14:22.723 general: couldn't mkdir=
>> /var/run/named/namednew.pi=3D
>> >> d': Permission denied
>> >> 26-Jan-2009 08:14:22.728 general: exiting (due to early fatal error)
>> >
>> > The log message should say couldn't mkdir /var/run/named.
>> > The wrong path is being logged.
>> >
>> > You either need to create /var/run/named with appropriate
>> > permissions so that named can write to it or change /var/run's
>>
>> It does exists as you can see from the "ls" output I included. And "named"=
>> is
>> owner of it and hence have full permissions on it (/var/run/named/).
>>
>> Problem is that Solaris returnes EACCESS and not EEXISTS. So just running=
>> mkdir=20
>> to check if a directory exists does not work on Solaris. One gets an EACCES=
>> and the=20
>> code fails.
>
> What are all of the permissions involved as it should work
> as demonstrated by the test below.
>
>thing1:marka 21:31 {109} % mkdir /foo
>mkdir: Failed to make directory "/foo"; Permission denied
>thing1:marka 21:31 {110} % mkdir /tmp
>mkdir: Failed to make directory "/tmp"; File exists
>thing1:marka 21:31 {111} % uname -a
>SunOS thing1 5.10 Generic_120011-14 sun4u sparc SUNW,Ultra-80
>thing1:marka 21:33 {112} %
>
> e.g.
>
> ls -ld / /var /var/run /var/run/named
SunOS ns10.nsc.no 5.10 Generic_137111-07 sun4v sparc SUNW,Sun-Fire-T200
-bash-3.00$ id
uid=21(named) gid=21(named)
-bash-3.00$ ls -ld / /var /var/run /var/run/named /var/run/named-test
drwxr-sr-x 32 root root 1024 Jan 27 07:07 /
drwxr-xr-x 47 root sys 1024 Jul 21 2008 /var
drwxr-sr-x 8 root root 1216 Jan 27 07:07 /var/run
drwxr-s--- 3 named named 245 Jan 26 14:44 /var/run/named
drwxrwsr-x 2 root root 117 Jan 27 07:07 /var/run/named-test
-bash-3.00$ mkdir / /var /var/run /var/run/named /var/run/named-test
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/var"; File exists
mkdir: Failed to make directory "/var/run"; File exists
mkdir: Failed to make directory "/var/run/named"; Permission denied
mkdir: Failed to make directory "/var/run/named-test"; Permission denied
I added /var/run/named-test as a test with root:root as owner.
This is strange.
ns10(root) run 509# getfacl /var
# file: /var
# owner: root
# group: sys
user::rwx
group::r-x #effective:r-x
mask:r-x
other:r-x
ns10(root) run 510# getfacl /var/run
# file: /var/run
# owner: root
# group: root
user::rwx
group::r-x #effective:r-x
mask:rwx
other:r-x
ns10(root) run 511# getfacl /var/run/named
# file: /var/run/named
# owner: named
# group: named
user::rwx
group::r-x #effective:r-x
mask:rwx
other:---
Same thing happens on a "new" Soalaris 10 also, where I just created the
diretory:
tproxy(root) / 499# mkdir /var/run/named
tproxy(root) / 505# su - named
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$ ls -ld / /var /var/run /var/run/named
drwxr-sr-x 33 root root 1536 Jan 27 07:14 /
drwxr-xr-x 30 root sys 512 Dec 2 15:59 /var
drwxr-xr-x 8 root sys 1374 Jan 27 07:14 /var/run
drwxrwxr-x 2 root root 117 Jan 27 07:14 /var/run/named
-bash-3.00$
-bash-3.00$ mkdir / /var /var/run /var/run/named
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/var"; File exists
mkdir: Failed to make directory "/var/run"; File exists
mkdir: Failed to make directory "/var/run/named"; Permission denied
It happens on Solaris 9 also:
safe(root) jal 1225# mkdir /var/run/named
safe(root) jal 1226# su - named
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
-bash-3.00$ ls -ld / /var /var/run /var/run/named
drwxr-sr-x 88 root root 3072 Jan 27 07:14 /
drwxr-xr-x 39 root sys 1024 Oct 14 10:34 /var
drwxr-sr-x 8 root root 1304 Jan 27 07:18 /var/run
drwxr-sr-x 2 root root 117 Jan 27 07:18 /var/run/named
-bash-3.00$ mkdir / /var /var/run /var/run/named
mkdir: Failed to make directory ""; No such file or directory
mkdir: Failed to make directory "/var"; File exists
mkdir: Failed to make directory "/var/run"; File exists
mkdir: Failed to make directory "/var/run/named"; Permission denied
I'd guess this is because of the following:
swap 14G 14M 14G 1% /tmp
swap 14G 5.5M 14G 1% /var/run
/var/run is swap/memory on all Solaris server (SunOS 5.8 and newer).
More tests on Solaris 10:
As root:
ns10(root) run 514# mkdir /tmp/testdir
ns10(root) run 515# mkdir /tmp/testdir/testdir2
ns10(root) run 516# mkdir /tmp/testdir/testdir2/testdir3
ns10(root) run 517# mkdir /tmp/testdir/testdir2/testdir3/testdir4
As named:
-bash-3.00$ ls -ld / /tmp /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
drwxr-sr-x 32 root root 1024 Jan 27 07:07 /
drwxrwxrwt 5 root sys 510 Jan 27 07:26 /tmp
drwxrwxr-x 3 root root 182 Jan 27 07:25 /tmp/testdir
drwxrwxr-x 3 root root 182 Jan 27 07:25 /tmp/testdir/testdir2
drwxrwxr-x 3 root root 182 Jan 27 07:25 /tmp/testdir/testdir2/testdir3
drwxrwxr-x 2 root root 117 Jan 27 07:25 /tmp/testdir/testdir2/testdir3/testdir4
-bash-3.00$ mkdir / /tmp /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/tmp"; File exists
mkdir: Failed to make directory "/tmp/testdir"; File exists
mkdir: Failed to make directory "/tmp/testdir/testdir2"; Permission denied
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3"; Permission denied
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3/testdir4"; Permission denied
As my own user:
-bash-3.00$ mkdir / /tmp /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/tmp"; File exists
mkdir: Failed to make directory "/tmp/testdir"; File exists
mkdir: Failed to make directory "/tmp/testdir/testdir2"; Permission denied
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3"; Permission denied
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3/testdir4"; Permission denied
As root it is OK, I get "exists" all the way:
ns10(root) run 519# mkdir /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
mkdir: cannot create directory `/tmp/testdir': File exists
mkdir: cannot create directory `/tmp/testdir/testdir2': File exists
mkdir: cannot create directory `/tmp/testdir/testdir2/testdir3': File exists
mkdir: cannot create directory `/tmp/testdir/testdir2/testdir3/testdir4': File exists
If I do the following as root:
chmod a+w /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
And then as named:
-bash-3.00$ mkdir / /tmp /tmp/testdir /tmp/testdir/testdir2 /tmp/testdir/testdir2/testdir3 /tmp/testdir/testdir2/testdir3/testdir4
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/tmp"; File exists
mkdir: Failed to make directory "/tmp/testdir"; File exists
mkdir: Failed to make directory "/tmp/testdir/testdir2"; File exists
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3"; File exists
mkdir: Failed to make directory "/tmp/testdir/testdir2/testdir3/testdir4"; File exists
I get exists all the way, but then again one do not want it to be world writable. Neither do
one want named as owner and/or group on /var/run to fix it on the OS side.
On a "normal" directory (not swap/memory), one get exits all the way:
-bash-3.00$ ls -ld / /local /local/gnu /local/gnu/man /local/gnu/man/man1 /local/gnu/man/man1/bash.1
drwxr-sr-x 32 root root 1024 Jan 27 07:07 /
drwxr-sr-x 35 root root 1024 Jan 27 01:32 /local
drwxr-sr-x 19 root root 512 Sep 11 2006 /local/gnu
drwxr-sr-x 10 root root 512 Jul 23 2008 /local/gnu/man
drwxr-sr-x 2 root root 4608 Jul 22 2008 /local/gnu/man/man1
-rw-r--r-- 1 root root 243808 Jul 22 2008 /local/gnu/man/man1/bash.1
-bash-3.00$ mkdir / /local /local/gnu /local/gnu/man /local/gnu/man/man1 /local/gnu/man/man1/bash.1
mkdir: Failed to make directory "/"; File exists
mkdir: Failed to make directory "/local"; File exists
mkdir: Failed to make directory "/local/gnu"; File exists
mkdir: Failed to make directory "/local/gnu/man"; File exists
mkdir: Failed to make directory "/local/gnu/man/man1"; File exists
mkdir: Failed to make directory "/local/gnu/man/man1/bash.1"; File exists
So /var/run (and /tmp) beeing swap/memory must be the root cause of the behaviour .. (?)
> Mark
>
>> > permissions so that named can create /var/run/named.
>> >
>> > Named will continue if mkdir(/var/run/named) returns EEXISTS.
>>
>> Wich it will not on Solaris if you do not have the perm to create it, even=
>> though it=20
>> exists and you have full perm on it.
>>
>> ?
>>
>> >=20
>> > Mark
>> >
>> > /*
>> > * Make the containing directory if it doesn't exist.
>> > */
>> > slash =3D strrchr(pidfile, '/');
>> > if (slash !=3D NULL && slash !=3D pidfile) {
>> > *slash =3D '\0';
>> > mode =3D S_IRUSR | S_IWUSR | S_IXUSR; /* u=3Drwx */
>> > mode |=3D S_IRGRP | S_IXGRP; /* g=3Drx */
>> > mode |=3D S_IROTH | S_IXOTH; /* o=3Drx */
>> > n =3D mkdir(pidfile, mode);
>> > if (n =3D=3D -1 && errno !=3D EEXIST) {
>> > isc__strerror(errno, strbuf, sizeof(strbuf));
>> > (*report)("couldn't mkdir %s': %s", filename,
>> > strbuf);
>> > free(pidfile);
>> > pidfile =3D NULL;
>> > return;
>> > }
>> > *slash =3D '/';
>> > }
>> >
>> >> BIND 9.6.0-P1 truss.out:
>> >> --CUT--
>> >> 25123/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D3D 0
>> >> 25123/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D3D 9
>> >> 25123/65: fcntl(9, F_GETFL) =3D3D=
>> 8320
>> >> 25123/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D3D 0
>> >> 25123/65: setgid(21) =3D3D 0
>> >> 25123/65: setuid(21) =3D3D 0
>> >> 25123/65: access(".", W_OK) =3D3D 0
>> >> 25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 06=3D
>> >> 66) =3D3D 10
>> >> 25123/65: lseek(10, 0, SEEK_END) =3D3D 332
>> >> 25123/65: close(10) =3D3D 0
>> >> 25123/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 0=3D
>> >> 666) =3D3D 10
>> >> 25123/65: lseek(10, 0, SEEK_END) =3D3D 0
>> >> 25123/65: close(10) =3D3D 0
>> >> 25123/65: mkdir("/var/run/named", 0755) Err#13=
>> EACC=3D
>> >> ES [ALL]
>> >> 25123/65: stat("/var/log/namednew.log", 0xFFFFFFFF79D0F3C0) =3D3D 0
>> >> 25123/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 06=3D
>> >> 66) =3D3D 10
>> >> 25123/65: lseek(10, 0, SEEK_END) =3D3D 332
>> >> 25123/65: fstat(10, 0xFFFFFFFF79D0E540) =3D3D 0
>> >> 25123/65: fstat(10, 0xFFFFFFFF79D0E410) =3D3D 0
>> >> 25123/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E47C) Err#25=
>> ENOT=3D
>> >> TY
>> >> 25123/65: write(10, 0x10502E754, 97) =3D3D 97
>> >> 25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 3 g e=
>> n =3D
>> >> e r a l
>> >> 25123/65: : c o u l d n ' t m k d i r / v a r / r u n / n=
>> a =3D
>> >> m e d /
>> >> 25123/65: n a m e d n e w . p i d ' : P e r m i s s i o n d=
>> e =3D
>> >> n i e d
>> >> 25123/65: \n
>> >> 25123/65: write(10, 0x10502E754, 69) =3D3D 69
>> >> 25123/65: 2 6 - J a n - 2 0 0 9 0 8 : 1 4 : 2 2 . 7 2 8 g e=
>> n =3D
>> >> e r a l
>> >> 25123/65: : e x i t i n g ( d u e t o e a r l y f a t=
>> a =3D
>> >> l e r
>> >> 25123/65: r o r )\n
>> >> 25123/65: _exit(1)
>> >>=20
>> >> It fails because it tries to just create the /var/run/named directory=
>> inste=3D
>> >> ad
>> >> of cheking if the directory exist and if it can write to it. =3D
>> >>=20
>> >>=20
>> >> ns12(root) named 515# ls -la /var/run/named
>> >> total 40
>> >> drwxr-s--- 4 named named 307 Jan 26 06:51 ./
>> >> drwxr-xr-x 7 root sys 1285 Jan 26 00:52 ../
>> >> -rw-r--r-- 1 named named 6 Jan 26 06:41 named.pid
>> >>=20
>> >> So /var/run/named exists and is fully writable by user named.
>> >>=20
>> >> User "named" should of course not be able to crate diretories below
>> >> "/var/run". Especially since many other things on Solaris 10 uses that
>> >> directory also.
>> >>=20
>> >>=20
>> >> If I use:
>> >> pid-file "/var/run/named/named/namednew.pid";
>> >>=20
>> >> ... everything works fine, since it now can run mkdir without getting=
>> "EACC=3D
>> >> ES". =3D
>> >>=20
>> >> Instead it gets "EEXIST" and is OK with that.
>> >>=20
>> >> BIND 9.6.0-P1 truss.out:
>> >> --CUT--
>> >> 25404/65: stat("/dev/urandom", 0xFFFFFFFF79D0FA00) =3D3D 0
>> >> 25404/65: open("/dev/urandom", O_RDONLY|O_NONBLOCK) =3D3D 9
>> >> 25404/65: fcntl(9, F_GETFL) =3D3D=
>> 8320
>> >> 25404/65: fcntl(9, F_SETFL, FOFFMAX|FNONBLOCK) =3D3D 0
>> >> 25404/65: setgid(21) =3D3D 0
>> >> 25404/65: setuid(21) =3D3D 0
>> >> 25404/65: access(".", W_OK) =3D3D 0
>> >> 25404/65: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 06=3D
>> >> 66) =3D3D 10
>> >> 25404/65: lseek(10, 0, SEEK_END) =3D3D 498
>> >> 25404/65: close(10) =3D3D 0
>> >> 25404/65: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 0=3D
>> >> 666) =3D3D 10
>> >> 25404/65: lseek(10, 0, SEEK_END) =3D3D 0
>> >> 25404/65: close(10) =3D3D 0
>> >> 25404/65: mkdir("/var/run/named/named", 0755) Err#17=
>> EEXI=3D
>> >> ST
>> >> 25404/65: stat("/var/run/named/named/namednew.pid",=
>> 0xFFFFFFFF79D0F98=3D
>> >> 0) Err#2 ENOENT
>> >> 25404/65: unlink("/var/run/named/named/namednew.pid") Err#2=
>> ENOENT
>> >> 25404/65: open("/var/run/named/named/namednew.pid",=
>> O_WRONLY|O_CREAT|=3D
>> >> O_EXCL, 0644) =3D3D 10
>> >> 25404/65: fcntl(10, F_GETFD, 0x000001A4) =3D3D 0
>> >> 25404/65: getpid() =3D3D=
>> 25404 [=3D
>> >> 25403]
>> >> 25404/65: fstat(10, 0xFFFFFFFF79D0E9D0) =3D3D 0
>> >> 25404/65: fstat(10, 0xFFFFFFFF79D0E8A0) =3D3D 0
>> >> 25404/65: ioctl(10, TCGETA, 0xFFFFFFFF79D0E90C) Err#25=
>> ENOT=3D
>> >> TY
>> >> 25404/65: write(10, " 2 5 4 0 4\n", 6) =3D3D 6
>> >> 25404/65: close(10) =3D3D 0
>> >> --CUT--
>> >>=20
>> >>=20
>> >> Trussing 9.4.3 I see that it does it differently:
>> >>=20
>> >> --CUT--
>> >> 25730/10: access(".", W_OK) =3D3D 0
>> >> 25730/10: open("/var/log/namednew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 06=3D
>> >> 66) =3D3D 10
>> >> 25730/10: lseek(10, 0, SEEK_END) =3D3D=
>> 2625
>> >> 25730/10: close(10) =3D3D 0
>> >> 25730/10: open("/var/log/confignew.log", O_WRONLY|O_APPEND|O_CREAT,=
>> 0=3D
>> >> 666) =3D3D 10
>> >> 25730/10: lseek(10, 0, SEEK_END) =3D3D 0
>> >> 25730/10: close(10) =3D3D 0
>> >> 25730/10: stat("/var/run/named/namednew.pid", 0xFFFFFFFF7D90F660)=
>> Err=3D
>> >> #2 ENOENT
>> >> 25730/10: unlink("/var/run/named/namednew.pid") Err#2=
>> ENOENT
>> >> 25730/10: open("/var/run/named/namednew.pid",=
>> O_WRONLY|O_CREAT|O_EXCL=3D
>> >> , 0644) =3D3D 10
>> >> 25730/10: fcntl(10, F_GETFD, 0x000001A4) =3D3D 0
>> >> 25730/10: getpid() =3D3D=
>> 25730 [=3D
>> >> 25729]
>> >> 25730/10: fstat(10, 0xFFFFFFFF7D90E6B0) =3D3D 0
>> >> 25730/10: fstat(10, 0xFFFFFFFF7D90E580) =3D3D 0
>> >> 25730/10: ioctl(10, TCGETA, 0xFFFFFFFF7D90E5EC) Err#25=
>> ENOT=3D
>> >> TY
>> >> 25730/10: write(10, " 2 5 7 3 0\n", 6) =3D3D 6
>> >> --CUT--
>> >>=20
>> >>=20
>> >> It seems that someone has "shorted" the code to create and/or check the=
>> pid=3D
>> >> -file.
>> >>=20
>> >> Maybe that "shortcut" will work on Linux, but it for sure does not work=
>> on =3D
>> >> Solaris 10.
>> >>=20
>> >> Having to use .../named/named/... in the pid-file option is of course=
>> possi=3D
>> >> ble, but I =3D
>> >>=20
>> >> guess that it is not the way it is supposed to be...(?)...
>> >>=20
>> >> Help? Ideas?
>> >>=20
>> >> Regards
>> >> Jan Arild Lindstr=3DF8m
>> >>=20
>> >> _______________________________________________
>> >> bind-users mailing list
>> >> bind-users at lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/bind-users
>> >--=20
>> >Mark Andrews, ISC
>> >1 Seymour St., Dundas Valley, NSW 2117, Australia
>> >PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>>
>> Regards
>> Jan Arild Lindstr=F8m
>>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
Regards
Jan Arild Lindstrøm
More information about the bind-users
mailing list