Skip Menu |
Report information
The Basics
Id: 44853
Status: resolved
Priority: 50/50
Queue: bind9-public
People
Owner: Nobody in particular
Requestors: Petr Menšík <pemensik@redhat.com>
Cc:
AdminCc:
Bug Information
Version Fixed: 9.12.0
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P3 Low
Severity: S3 Low
CVSS Score: (no value)
CVE ID: (no value)
Component: BIND Server
Area: bug
Attachments
0001-Add-new-zones-directory-option-write-.nzf-there.patch
0002-Basic-test-of-new-zones-directory-option.patch
bind9-master-new-zones-directory.patch
bind99-new-zones-directory.patch
Dates
Created:Fri, 10 Mar 2017 12:05:51 -0500
Updated:Mon, 26 Jun 2017 20:26:09 -0400
Closed:Wed, 17 May 2017 16:32:06 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History Show full headers
# Fri, 10 Mar 2017 12:05:51 -0500 Petr Menšík <pemensik@redhat.com> - Ticket created [Reply] [Comment]
Subject: [PATCH] NZF files cannot be written to different directory
Date: Fri, 10 Mar 2017 12:05:46 -0500 (EST)
To: bind-bugs@isc.org
From: "Petr Mensik" <pemensik@redhat.com>
Download (untitled) / with headers
text/plain 1.4KiB
Hi, we are Red Hat and Fedora have bind directory /var/named not writeable by named process. It is possible to configure managed-keys-directory to write dynamic data into other (sub)directory. I think it would make sense to configure also different dynamic content in similar way. Currently it is impossible to change directory of dynamic zones added via rndc addzone. It blocks our packaging and requires manual work from admin. I would like to use /var/named/dynamic subdirectory that is already used for managed keys. I think it makes sense for most installations to have read-only access to zone files. We want that for master zones by default. But we would like possibility to addzone from default configuration at the same time. It is not easy with the current bind. I have prepared patch that allows "new-zones-directory" option in configuration, very similar to "managed-keys-directory". Is that approach acceptable by you? I modified logic in dns_view_setnewzones(), so that it is always used only to reset current settings. And moved case when new zones are enabled to bin/named/server.c, where it is easier to obtain directory from configuration. It is not used from any other place with real values anyway. I made it to reuse the similar hashing like managed-keys-directory in bind 9.9. I attached that patch more for a reference. Are you willing to include such feature? -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973
Download bind99-new-zones-directory.patch
text/x-patch 7.6KiB

Message body is not shown because sender requested not to inline it.

Download bind9-master-new-zones-directory.patch
text/x-patch 7.1KiB

Message body is not shown because sender requested not to inline it.

# Fri, 10 Mar 2017 12:46:42 -0500 Evan Hunt <each@isc.org> - Correspondence added [Reply] [Comment]
CC:
Subject: Re: [ISC-Bugs #44853] [PATCH] NZF files cannot be written to different directory
Date: Fri, 10 Mar 2017 17:46:41 +0000
To: "Petr Menšík via RT" <bind9-bugs@isc.org>
From: "Evan Hunt" <each@isc.org>
Download (untitled) / with headers
text/plain 240B
Thank you for the patch, we'll review it. If it makes sense for managed-keys then it makes just as much sense for this. I'm curious why you're using a non-writable working directory, though? That will cause more problems than just this.
# Fri, 10 Mar 2017 12:46:43 -0500 The RT System itself - Status changed from 'new' to 'open'
# Fri, 10 Mar 2017 14:53:56 -0500 Mukund Sivaraman <muks@isc.org> - Priority P3 Low added
# Fri, 10 Mar 2017 14:53:57 -0500 Mukund Sivaraman <muks@isc.org> - Severity S3 Low added
# Fri, 10 Mar 2017 14:53:57 -0500 Mukund Sivaraman <muks@isc.org> - Area bug added
# Fri, 10 Mar 2017 14:53:57 -0500 Mukund Sivaraman <muks@isc.org> - Component BIND Server added
# Mon, 20 Mar 2017 13:58:39 -0400 Petr Menšík <pemensik@redhat.com> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #44853] [PATCH] NZF files cannot be written to different directory
Date: Mon, 20 Mar 2017 18:58:32 +0100
To: bind9-bugs@isc.org
From: "Petr Menšík" <pemensik@redhat.com>
Download (untitled) / with headers
text/plain 2KiB
Hello Evan, I made some fixes to original patch, because I think it does not allow simple upgrade from older versions without manual configuration change. I would like default configuration with custom directory for nzf files. It would be difficult to do that, if user could have his own zones added in customized configuration. Also it contains fix for a case, when option is not even in configuration file. Sorry I did not test it out before. I made also very simple addition to addzone tests. It helped me to find some errors. Now back to your question. We have got such configuration for a long time. It was not something I invented, but I think it makes sense. We have got master zone files in home /var/named directory. These are files that are managed by an administrator (or packaging system). He is changing them using editor or his tools. He "owns" them somehow. Named is allowed only to read them, serve them as they are. For dynamic zones, that are modified primarily by named, are there prepared sub folders dynamic and slaves. Files there are "owned" by named and no one should edit them, unless he makes sure named is not touching them. It increases security a bit I think. Especially when it is enforced by SELinux, not only simple unix rights. It helps administrator to distinguish what can be modified by bind and what cannot. I think there are only dynamic zones with their journal. But they use temporary files in the same directory as themselves, aren't they? What other problems can it make? I can think only automatic DNSSEC resigning. Such zones are updated using dynamic updates anyway, aren't they? Selinux will log any access violation. The only problem reported by users was .nzf files. If you know any potential problems, I would really like to hear them. Best Regards, Petr Menšík Dne 10.3.2017 v 18:46 Evan Hunt via RT napsal(a): > Thank you for the patch, we'll review it. If it makes sense for > managed-keys then it makes just as much sense for this. > > I'm curious why you're using a non-writable working directory, > though? That will cause more problems than just this. > >
Download 0002-Basic-test-of-new-zones-directory-option.patch
text/x-patch 7.2KiB

Message body is not shown because sender requested not to inline it.

Download 0001-Add-new-zones-directory-option-write-.nzf-there.patch
text/x-patch 8.6KiB

Message body is not shown because sender requested not to inline it.

# Fri, 24 Mar 2017 14:43:05 -0400 Evan Hunt <Evan_Hunt@isc.org> - Queue changed from #6 to #7
# Fri, 24 Mar 2017 14:43:05 -0400 Evan Hunt <Evan_Hunt@isc.org> - Taken
# Sat, 25 Mar 2017 02:28:37 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 958B
> I think there are only dynamic zones with their journal. But they use > temporary files in the same directory as themselves, aren't they? > What other problems can it make? I can think only automatic DNSSEC > resigning. Such zones are updated using dynamic updates anyway, aren't > they? Selinux will log any access violation. The only problem reported > by users was .nzf files. If you know any potential problems, I would > really like to hear them. The most significant problem that's hard to correct with careful configuration of named is that most platforms write core dumps to the working directory by default, and changing that is usually a system-wide setting rather than something that can be corrected specifically for named. It makes for difficult debugging. But I do think you're correct that the files named has direct control over can be configured to write elsewhere (with the exception of NZF and NZDB files, which your patch addresses).
# Sat, 25 Mar 2017 13:51:31 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 890B
I've reviewed your patch, and made a few changes: - reverted the changes to dns_view_addnewzones(), put the allow code back into view.c. - moved your file_sanitize_legacy() function into view.c as nz_legacy() - made new-zones-directory a view option instead of options-only - added a dns_view_setnewzonedir() function. That's now used by nz_legacy() to find the right place to put the files - added documentation of new-zones-directory - noticed that the existing documentation of NZD and NZF files was rather poor, so expanded them - fixed the test to check for NZD instead of NZF when linked with LMDB (I want to thank you for writing a test, that was particularly helpful.) Since I changed your code a fair bit I'm going to ask one of my colleagues to review it too, but I expect this will be merged to our master branch (for 9.12.0) soon. Thank you again for the contribution.
# Sat, 25 Mar 2017 13:51:32 -0400 Evan Hunt <Evan_Hunt@isc.org> - Untaken
# Mon, 27 Mar 2017 09:07:39 -0400 Petr Menšík <pemensik@redhat.com> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #44853] [PATCH] NZF files cannot be written to different directory
Date: Mon, 27 Mar 2017 15:07:33 +0200
To: bind9-review@isc.org
From: "Petr Menšík" <pemensik@redhat.com>
Download (untitled) / with headers
text/plain 2.4KiB
Hi Evan, today I was checking my 9.11 instance with some stuff of dyndb. I noticed write errors of NTA files. I did not notice it before, because I do not use Bind 9.11 much yet. I am sure I would like to be able to change view->nta_file write directory as well. It is less important than nzf files for me right now. I do not like an idea of three options however, all of them with the same value. I think it would make sense to have one common option for all mkeys, nzf/nzd and nta files. With possible override for a specific type if required. It might be useful to have configuration type of "path to existing directory" maybe. It would not be required to copy path test and report and error in case specified directory did not exist. I am looking forward to merge back your changes. I will try to make similar backport to Bind 9.9 which we ship in RHEL. You are right about core dumps. We have coredumps handled by abrt tool in Fedora and RHEL. Without manual configuration, you will not get core dump in working directory in those distributions. Maybe also from derived ones. They are dumped into some system directory, where they are unreadable by ordinary user. That is important feature of packaged services, because it allows easier sending of core dumps (and more information) from our customers. Unfortunately most bugs from BIND are core dumps from memory leak detection, where I am not able to tell the reason for them. But it is good feature anyway. Dne 25.3.2017 v 07:28 Evan Hunt via RT napsal(a): > >> I think there are only dynamic zones with their journal. But they use >> temporary files in the same directory as themselves, aren't they? >> What other problems can it make? I can think only automatic DNSSEC >> resigning. Such zones are updated using dynamic updates anyway, aren't >> they? Selinux will log any access violation. The only problem reported >> by users was .nzf files. If you know any potential problems, I would >> really like to hear them. > > The most significant problem that's hard to correct with careful configuration > of named is that most platforms write core dumps to the working directory by > default, and changing that is usually a system-wide setting rather than something > that can be corrected specifically for named. It makes for difficult > debugging. > > But I do think you're correct that the files named has direct control over can > be configured to write elsewhere (with the exception of NZF and NZDB files, > which your patch addresses). >
# Mon, 03 Apr 2017 07:07:54 -0400 Petr Menšík <pemensik@redhat.com> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #44853] [PATCH] NZF files cannot be written to different directory
Date: Mon, 3 Apr 2017 13:07:47 +0200
To: bind9-review@isc.org
From: "Petr Menšík" <pemensik@redhat.com>
Download (untitled) / with headers
text/plain 2KiB
Hello Evan, We are preparing a new release including bind soon. I would like to help you any way I can. If there is anything I can help you with, please do not hesitate to ask. Let me know when if you have anything to comment or review. Dne 25.3.2017 v 18:51 Evan Hunt via RT napsal(a): > I've reviewed your patch, and made a few changes: > > - reverted the changes to dns_view_addnewzones(), put the allow code back > into view.c. Yes, I thought you would not like that move. I rechecked why did I move it in the first place. It made some sense on bind 9.9, where it allowed me to reuse making hashed file name from different places. It moved to shared function isc_file_sanitize in bind 9.11, making such move unnecessary change. I agree it is not necessary or useful in recent version. > - moved your file_sanitize_legacy() function into view.c as nz_legacy() > - made new-zones-directory a view option instead of options-only I am not sure if that is really required. Every file in that directory is named after single view and has to be as unique as is name of a view. I think it would be more useful if you could override path to NZF/NZD file used by that view. It would allow to configure one file shared between views however, that is not wanted I think. Do you have any use case when would it help to configure it per view? > - added a dns_view_setnewzonedir() function. That's now used by nz_legacy() > to find the right place to put the files Sure, it seems better than keeping temporary allocated path in nz_legacy() > - added documentation of new-zones-directory > - noticed that the existing documentation of NZD and NZF files was rather > poor, so expanded them > - fixed the test to check for NZD instead of NZF when linked with LMDB > > (I want to thank you for writing a test, that was particularly helpful.) > > Since I changed your code a fair bit I'm going to ask one of my colleagues > to review it too, but I expect this will be merged to our master branch (for > 9.12.0) soon. > > Thank you again for the contribution. I am glad I could help. Petr Mensik
# Mon, 03 Apr 2017 17:52:36 -0400 Evan Hunt <each@isc.org> - Correspondence added [Reply] [Comment]
CC:
Subject: Re: [ISC-Bugs #44853] [PATCH] NZF files cannot be written to different directory
Date: Mon, 3 Apr 2017 21:52:35 +0000
To: "Petr Menšík via RT" <bind9-review@isc.org>
From: "Evan Hunt" <each@isc.org>
Download (untitled) / with headers
text/plain 283B
On Mon, Apr 03, 2017 at 11:07:54AM +0000, Petr Menšík via RT wrote: > Do you have any use case when would it help to configure it per view? Not particularly, but as it's set as a view member internally, it seemed unnecessary for it to to be defined globally in the config file.
# Sun, 09 Apr 2017 23:37:45 -0400 Mark Andrews <marka@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
# Fri, 21 Apr 2017 23:03:34 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
# Sun, 23 Apr 2017 23:22:08 -0400 Mark Andrews <marka@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
# Mon, 24 Apr 2017 02:17:53 -0400 Evan Hunt <Evan_Hunt@isc.org> - Untaken
# Mon, 24 Apr 2017 02:18:04 -0400 Evan Hunt <Evan_Hunt@isc.org> - Queue changed from #7 to #36
# Mon, 24 Apr 2017 02:18:04 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0 added
# Wed, 17 May 2017 16:32:06 -0400 Curtis Blackburn <ckb@isc.org> - Status changed from 'open' to 'resolved'
# Wed, 21 Jun 2017 14:47:18 -0400 Brian Conry <bconry@isc.org> - Queue changed from #36 to #6
# Mon, 26 Jun 2017 20:26:08 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public