Your message dated Mon, 09 Jun 2008 15:14:44 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#360339: fixed in bind9 1:9.5.0.dfsg-0
has caused the Debian Bug report #360339,
regarding start bind within linux-vserver (no capabilities available in the 
security context)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
360339: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360339
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
package: bind9
version: all
severity: wishlist


Hello!

This bug is filed as wish. It's more or less related to #212226 (bind9
doesn't start when capabilities aren't available) which is set to
wontfix. I would vote for re-thinking about fixing:

There is already a patch available that fixes it. We use that heavily in
linux-vserver.org, because in the so called 'security contexs' we use
(like virtual servers, guests, jails ...) don't get any capability.
Unlike other v12n solutions (XEN, UML ..) in linux-vserver there is no
own kernel per context: So we dont allow guests to get capabilities.

Linux-vserver is already available in Debian for a long time (packages
util-vserver, vserver-debiantools), recently
linux-image-2.6.16-1-vserver.* entered Debian Sid even as ready-to-run
kernel.

The patch was made by Daniel Hokka Zakrisson. It works quite simple: It
checks if there are capabilities available and uses them. This is the
usual and under normal circumstances the more secure way. If there are
no capabilities available (especially CAP_SYS_RESOURCE, which is
requested by bind) it starts without them. With linux-vserver.org this
way of running bind make it _more_ secure.

The original source of the patch is here:
http://daniel.hozac.com/stuff/bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch

And the source of the patch itself is also to be found at the end of
that mail.

rgds,
Andreas

-- 
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331

http://www.net-lab.net


$ cat bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch
diff -Naurp bind-9.2.3.orig/bin/named/unix/os.c
bind-9.2.3/bin/named/unix/os.c
--- bind-9.2.3.orig/bin/named/unix/os.c 2004-11-30 11:04:45.000000000 +0100
+++ bind-9.2.3/bin/named/unix/os.c      2004-12-05 15:24:08.000000000 +0100
@@ -155,9 +155,27 @@ linux_setcaps(unsigned int caps) {
        }
 }

+static unsigned int
+linux_getcaps(void) {
+       struct __user_cap_header_struct caphead;
+       struct __user_cap_data_struct cap;
+       char strbuf[ISC_STRERRORSIZE];
+
+       memset(&caphead, 0, sizeof(caphead));
+       caphead.version = _LINUX_CAPABILITY_VERSION;
+       caphead.pid = 0;
+       memset(&cap, 0, sizeof(cap));
+       if (syscall(SYS_capget, &caphead, &cap) < 0) {
+               isc__strerror(errno, strbuf, sizeof(strbuf));
+               ns_main_earlyfatal("capget failed: %s", strbuf);
+       }
+
+       return cap.permitted;
+}
+
 static void
 linux_initialprivs(void) {
-       unsigned int caps;
+       unsigned int caps, current;

        /*
         * We don't need most privileges, so we drop them right away.
@@ -166,6 +184,7 @@ linux_initialprivs(void) {
         */

        caps = 0;
+       current = linux_getcaps();

        /*
         * We need to be able to bind() to privileged ports, notably
port 53!
@@ -205,14 +224,15 @@ linux_initialprivs(void) {
         * of files, the stack size, data size, and core dump size to
         * support named.conf options, this is now being added to test.
         */
-       caps |= (1 << CAP_SYS_RESOURCE);
+       if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE))
+               caps |= (1 << CAP_SYS_RESOURCE);

        linux_setcaps(caps);
 }

 static void
 linux_minprivs(void) {
-       unsigned int caps;
+       unsigned int caps, current;

        /*
         * Drop all privileges except the ability to bind() to privileged
@@ -223,6 +243,7 @@ linux_minprivs(void) {
         */

        caps = 0;
+       current = linux_getcaps();
        caps |= (1 << CAP_NET_BIND_SERVICE);

        /*
@@ -232,7 +253,8 @@ linux_minprivs(void) {
         * of files, the stack size, data size, and core dump size to
         * support named.conf options, this is now being added to test.
         */
-       caps |= (1 << CAP_SYS_RESOURCE);
+       if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE))
+               caps |= (1 << CAP_SYS_RESOURCE);

        linux_setcaps(caps);
 }


--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.5.0.dfsg-0

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:

bind9-doc_9.5.0.dfsg-0_all.deb
  to pool/main/b/bind9/bind9-doc_9.5.0.dfsg-0_all.deb
bind9-host_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/bind9-host_9.5.0.dfsg-0_i386.deb
bind9_9.5.0.dfsg-0.diff.gz
  to pool/main/b/bind9/bind9_9.5.0.dfsg-0.diff.gz
bind9_9.5.0.dfsg-0.dsc
  to pool/main/b/bind9/bind9_9.5.0.dfsg-0.dsc
bind9_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/bind9_9.5.0.dfsg-0_i386.deb
bind9_9.5.0.dfsg.orig.tar.gz
  to pool/main/b/bind9/bind9_9.5.0.dfsg.orig.tar.gz
bind9utils_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/bind9utils_9.5.0.dfsg-0_i386.deb
dnsutils_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/dnsutils_9.5.0.dfsg-0_i386.deb
libbind-dev_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libbind-dev_9.5.0.dfsg-0_i386.deb
libbind9-40_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libbind9-40_9.5.0.dfsg-0_i386.deb
libdns42_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libdns42_9.5.0.dfsg-0_i386.deb
libisc41_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libisc41_9.5.0.dfsg-0_i386.deb
libisccc40_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libisccc40_9.5.0.dfsg-0_i386.deb
libisccfg40_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/libisccfg40_9.5.0.dfsg-0_i386.deb
liblwres40_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/liblwres40_9.5.0.dfsg-0_i386.deb
lwresd_9.5.0.dfsg-0_i386.deb
  to pool/main/b/bind9/lwresd_9.5.0.dfsg-0_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
LaMont Jones <[EMAIL PROTECTED]> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 29 May 2008 22:05:19 -0600
Source: bind9
Binary: bind9 bind9utils bind9-doc bind9-host libbind-dev libbind9-40 libdns42 
libisc41 liblwres40 libisccc40 libisccfg40 dnsutils lwresd
Architecture: all i386 source 
Version: 1:9.5.0.dfsg-0
Distribution: experimental
Urgency: low
Maintainer: LaMont Jones <[EMAIL PROTECTED]>
Changed-By: LaMont Jones <[EMAIL PROTECTED]>
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 libbind-dev - Static Libraries and Headers used by BIND
 libbind9-40 - BIND9 Shared Library used by BIND
 libdns42   - DNS Shared Library used by BIND
 libisc41   - ISC Shared Library used by BIND
 libisccc40 - Command Channel Library used by BIND
 libisccfg40 - Config File Handling Library used by BIND
 liblwres40 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 212226 360339 480317
Launchpad-Bugs-Fixed: 227344
Changes: 
 bind9 (1:9.5.0.dfsg-0) experimental; urgency=low
 .
   [Internet Software Consortium, Inc]
 .
   * 9.5.0 release
 .
   [LaMont Jones]
 .
   * Only use capabilities if they are present: reprise.  Closes: #360339, 
#212226
   * control: fix dnsutils description to avoid list reformatting.  Closes: 
#480317
   * build: use the correct directories in dh_shlibdeps invocation
   * build: turn on dlz.  No pgsql or mysql support yet.  LP: #227344
Files: 
 13e1e5c2d7ce04613a46ae3081a845f7 39912 libs optional 
libisccfg40_9.5.0.dfsg-0_i386.deb
 38a653478351b413168eab825bb1003b 254910 doc optional 
bind9-doc_9.5.0.dfsg-0_all.deb
 3ccf9171bdd3b82ba631e52ea63a2fcd 86704 net optional 
bind9utils_9.5.0.dfsg-0_i386.deb
 49da3ddf5f8e0978f76da1d86a6d4a4f 1110006 libdevel optional 
libbind-dev_9.5.0.dfsg-0_i386.deb
 5dc852eaed1241203fc4f9deafcb3a46 251852 net optional bind9_9.5.0.dfsg-0.diff.gz
 66f61c817cf35e311dc6a87a05adb28c 23560 libs optional 
libisccc40_9.5.0.dfsg-0_i386.deb
 6c62b1e108ba916e1d689403d102209a 523012 libs standard 
libdns42_9.5.0.dfsg-0_i386.deb
 6d5f8ed9c929e8a0ed664e74097d21f4 28490 libs standard 
libbind9-40_9.5.0.dfsg-0_i386.deb
 9eae230c2563f78c29664c5b2ef87db8 921 net optional bind9_9.5.0.dfsg-0.dsc
 86abf364c3afd8ca93d87da7e6a03493 5199051 net optional 
bind9_9.5.0.dfsg.orig.tar.gz
 941dff457348a3290087672993edec49 40588 libs standard 
liblwres40_9.5.0.dfsg-0_i386.deb
 b5ceec0ccbefe21f4ef07bf1f729c93b 226936 net optional 
bind9_9.5.0.dfsg-0_i386.deb
 b7deee514d57449be560e801639af6a0 136882 libs standard 
libisc41_9.5.0.dfsg-0_i386.deb
 dcb04bc7b00b397c8942e9d97767f2c0 184916 net optional 
lwresd_9.5.0.dfsg-0_i386.deb
 de74001f854318e44c87a36e950149fc 113582 net standard 
dnsutils_9.5.0.dfsg-0_i386.deb
 f5be242a9202d9ba2a2c7555dc4b3168 45030 net standard 
bind9-host_9.5.0.dfsg-0_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIP4s1zN/kmwoKyScRAh4HAKCK7gSub2cVAs5CzV/e3Sryg7dQtACdGLM4
QN9swnMz1tcJlgQWV76+gUw=
=slyq
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to