FS#66278 - [bind] managed-keys.bind.jnl file permissions too restrictive
Attached to Project:
Arch Linux
Opened by David Ford (FirefighterBlu3) - Thursday, 16 April 2020, 21:16 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 18 July 2020, 00:06 GMT
Opened by David Ford (FirefighterBlu3) - Thursday, 16 April 2020, 21:16 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 18 July 2020, 00:06 GMT
|
Details
Description:
Sometime recently a change was introduced regarding "managed-keys.bind.jnl" and its requirements within BIND's named. This file requires RW access. Our permissions on Arch are 770 with root:named ownership. This prohibits a RW operation if BIND itself originally creates the file (as it does so with 640 permissions). A quick fix is to simply add g+w to the file. BIND assumes it will have write capability within the /var/named/ directory and I expect future versions of BIND will want to create or manage other files too. 16-Apr-2020 16:19:17.271 running 16-Apr-2020 16:19:17.388 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) 16-Apr-2020 16:19:17.388 managed-keys.bind.jnl: open: permission denied 16-Apr-2020 16:19:17.388 managed-keys-zone: keyfetch_done:dns_journal_open -> unexpected error [non-root@Scott p]$ egrep "chdir|cwd|managed-keys" /tmp/named.sout [pid 8624] chdir("/var/named") = 0 [pid 8624] sendto(3, "<30>Apr 16 17:03:30 named[8611]: set up managed keys zone for view _default, file 'managed-keys.bind'", 101, MSG_NOSIGNAL, NULL, 0) = 101 [pid 8624] stat("managed-keys.bind", <unfinished ...> [pid 8624] openat(AT_FDCWD, "managed-keys.bind", O_RDONLY) = 93 [pid 8624] openat(AT_FDCWD, "managed-keys.bind.jnl", O_RDONLY) = 93 [pid 8624] openat(AT_FDCWD, "managed-keys.bind.jnl", O_RDONLY) = 93 [pid 8624] write(93, "16-Apr-2020 17:03:30.375 managed-keys-zone: loaded serial 1425\n", 63) = 63 [pid 8631] write(93, "16-Apr-2020 17:03:30.591 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)\n", 108) = 108 [pid 8631] openat(AT_FDCWD, "managed-keys.bind.jnl", O_RDWR) = -1 EACCESS (Permission denied) ┌[✗ root@Scott [/etc] └─> ls -al /var/named/ total 32 drwxrwx--- 2 root named 4096 Apr 16 16:19 . drwxr-xr-x 17 root root 4096 Apr 16 16:06 .. -rw-r----- 1 root named 466 Apr 1 17:44 127.0.0.zone -rw-r----- 1 root named 506 Apr 1 17:44 localhost.ip6.zone -rw-r----- 1 root named 517 Apr 1 17:44 localhost.zone -rw-r--r-- 1 root named 821 Dec 17 13:09 managed-keys.bind -rw-r--r-- 1 root named 2516 Dec 17 13:09 managed-keys.bind.jnl -rw-r----- 1 root named 3315 Dec 17 15:15 root.hint ┌[✓ root@Scott [/etc] └─> chmod g+w /var/named/managed-keys.bind.jnl Additional info: * package version(s) <=9.16.1-2 Steps to reproduce: |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Saturday, 18 July 2020, 00:06 GMT
Reason for closing: No response
Saturday, 18 July 2020, 00:06 GMT
Reason for closing: No response
Comment by loqs (loqs) - Thursday,
16 April 2020, 23:19 GMT
What if you set UMask=0002 in the service file? (You would need to
delete managed-keys.bind.jnl to force it's recreation)