FS#55987 - [bind] glibc-2.26 breaks bind
Attached to Project:
Arch Linux
Opened by Daniel Schregenberger (SuperBFG7) - Saturday, 14 October 2017, 11:51 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 10 December 2017, 16:09 GMT
Opened by Daniel Schregenberger (SuperBFG7) - Saturday, 14 October 2017, 11:51 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 10 December 2017, 16:09 GMT
|
Details
Description:
When running bind as user named (as in the standard systemd.service file) the process will go defunct immediately after the start. No output to console, no debug logs, no entries in journal. Running as root (no user change) works fine. Downgrade to glibc-2.25-7 fixes this issue for me. I suspect bind needs to be re-built as well when glibc changes. Additional info: * bind-9.11.2-2 * glibc-2.26-3 / glibc-2.26-4 / glibc-2.26-5 Steps to reproduce: # /usr/sbin/named -f -u named -L /dev/stdout Running as root works: # /usr/sbin/named -f -L /dev/stdout |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Sunday, 10 December 2017, 16:09 GMT
Reason for closing: Fixed
Sunday, 10 December 2017, 16:09 GMT
Reason for closing: Fixed
Note that both of them were taken inside a docker container.
# strace -o running.strace /usr/sbin/named -f -u named -L named.log
# strace -o failing.strace /usr/sbin/named -f -u named -L named.log
It looks as if the failing one fails on opening the log file.
failing.strace (42.3 KiB)
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=38, filter=0x5576afc1f2b0}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
stat("named.log", 0x7ffd578da800) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "named.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = ?
+++ killed by SIGKILL +++
Setup the secccomp filtering then seccomp kills because of openat?
Edit:
But unless the platform is i686 it seems openat should be allowed https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD
Ctrl-C does not work and the process does not react in any way, so I killed it.
ps shows the process as <defunct>
# ps faux
root 18157 0.0 0.0 20532 3484 pts/0 Ss 17:07 0:00 | \_ /bin/bash
root 18798 0.0 0.0 18316 1848 pts/0 S+ 17:23 0:00 | \_ strace -o failing.strace /usr/sbin/named -f -u named -L named.log
named 18800 0.0 0.0 0 0 pts/0 Zl+ 17:23 0:00 | \_ [named] <defunct>
And the permission denied also happens for /dev/stdout (that's the only entry in the journal when starting named):
named[19047]: isc_log_open '/dev/stdout' failed: permission denied
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f8350da2610, si_syscall=__NR_openat, si_arch=AUDIT_ARCH_X86_64} ---
Not sure which of https://sourceware.org/git/?p=glibc.git&a=search&h=1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369&st=commit&s=openat was the trigger
Did you rebuild bind with the new glibc to check your suspicion?
Rebuilding with seccomp disabled named seems to start correctly system is not configured for named but no zombie process is created named can be terminated without resorting to SIGKILL.
named from 9.11.2-2 matches the failing.strace from SuperBFG7 with the exception named.log is replaced by /dev/stdout.
My local build could well be suspect can not explain why your system is not seeing the issue when running as root "/usr/sbin/named -f -u named -L /dev/stdout"
Edit:
If you mean just rebuild against glibc 2.26-5 without any other changes the result was the same as using named from 9.11.2-2
Edit2:
Moving SCMP_SYS(openat), from the https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD#l86 to line 60
and "openat", fromhttps://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD#l153 to line 127
so that they are outside of #ifndef ISC_PLATFORM_USETHREADS meaning it will be used on threaded builds which is what the strace seems to show is required.
named as built with the above modification no longer results in a zombie process requiring SIGKILL.
@loqs: With "running as root" I meant without the option "-u named", still works for me. But for security reasons I'd rather not do that.
@seblu https://phabricator.kde.org/D7806 indicates another project having to add support for openat attributed to glibc 2.26
Looking at other linux distributions that package named I could not trivially find another that is on glibc 2.26 and builds named with seccomp support for comparison.
Strange is however, that no output is generated to stdout (no idea why) while writting output to a file works as expected (with correct permissions of course).