Summary: | dns/bind912: fails to start, stating possibly wrong reason for this | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | emz |
Component: | Individual Port(s) | Assignee: | Mathieu Arnold <mat> |
Status: | Closed Works As Intended | ||
Severity: | Affects Only Me | CC: | chris, ping-freebsd |
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(mat) |
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
emz
2017-11-24 14:04:17 UTC
After much fiddling, I was able to reproduce the problem you are encountering. You changed the "directory" directive to something like /usr/local/etc/namedb. With that change, named now refuses to start because it cannot write to this directory. To fix this, either set "directory" back to its stock value, or edit /usr/local/etc/mtree/BIND.chroot.local.dist to change the owner of the "namedb" directory to bind instead of root. Not that this is not a good idea because then named can write to all its configuration, and in case of a security hole, a malicious user could edit the configuration files. (In reply to Mathieu Arnold from comment #1) I have the exact same problem with bind912. same set of config files works fine with bind911. same config files works without chroot in bind912. my "directory" directive is set to /usr/local/etc/namedb. without it bind cannot find rest of the config files and fails checkconf. The fix is the same for bind912. what exactly is the fix? From the comment that closed the PR:
> edit /usr/local/etc/mtree/BIND.chroot.local.dist to change the
> owner of the "namedb" directory to bind instead of root.
does this have to be broken by default? without the "directory" directive it looks for everything in "/var/named/*" The BIND9 ports are secure by default, it means BIND9 cannot write to the directory where its configuration is stored. If, for some reason, you want to lessen this security, you absolutely can, you can change the directory directive, and you can change the mtree file that ensures permissions are correct. I understand and agree with your points about security. My point was, I do not want to change mtree every time I install the port. I am running bind in chroot. bind912, your port, is looking for write permission in the "directory". Previous ports did not. How do you suggest we fix this? let me ask the question another way, for those of us running chroot, how would you change named configuration so that the bind912 port works out of the box? and I totally agree with ping mai, port clearly conflicts with base system. Who runs named without chroot nowadays anyway ? (In reply to ping mai from comment #8) > I understand and agree with your points about security. My point was, I do > not want to change mtree every time I install the port. I am running bind > in chroot. bind912, your port, is looking for write permission in the > "directory". > Previous ports did not. How do you suggest we fix this? During the BIND9 9.12 development cycle, named started requiring that its working "directory" was writable, in https://gitlab.isc.org/isc-projects/bind9/commit/16d6fab2e59f1fdf63eb71fc59e138031f5c5005 and https://gitlab.isc.org/isc-projects/bind9/commit/1ca7e01aa741f2238690d7d9e247293187af79c8. The port then made sure that the directory was writable, and other directories where not. The port also allowed the user who wanted to change "directory", from an empty directory where a security issue could not do much harm, to its parent directory to change the mtree file to lessen the security. (In reply to ping mai from comment #9) > let me ask the question another way, for those of us running chroot, how > would you change named configuration so that the bind912 port works out of > the box? As bind912 works out of the box, I am unsure what you mean. If you mean "out of the box with the directory directive changed" then you only need to follow the steps in comment #1, like I already told you. (In reply to emz from comment #10) > and I totally agree with ping mai, port clearly conflicts with base system. > Who runs named without chroot nowadays anyway ? I do not understand, BIND9 has not been in the base system for years, how can it conflict. (In reply to Mathieu Arnold from comment #11) are you saying the only way to get bind912 port to work is to change the mtree definition? do we agree that that is what we want to avoid? let's say you are running named chroot. and you wish to reference /usr/local/etc/namedb/named.root which is included in your port. how would you do that in your named.conf? I am saying that if you change "directory" then you must relax the permissions in the mtree file. It may be what *you* agreed with yourself that it is what you wanted to avoid, but it is the *correct* way to do it. It is also the only reason the mtree files are installed with @sample so that they are not overwritten on upgrades. If you keep "directory" to the default value, to references files outside of it, you put the full path to the file, have a look at how named.conf.sample does it. |