Your message dated Mon, 09 Jun 2008 15:14:44 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#360339: fixed in bind9 1:9.5.0.dfsg-0
has caused the Debian Bug report #360339,
regarding start bind within linux-vserver (no capabilities available in the
security context)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
360339: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360339
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
package: bind9
version: all
severity: wishlist
Hello!
This bug is filed as wish. It's more or less related to #212226 (bind9
doesn't start when capabilities aren't available) which is set to
wontfix. I would vote for re-thinking about fixing:
There is already a patch available that fixes it. We use that heavily in
linux-vserver.org, because in the so called 'security contexs' we use
(like virtual servers, guests, jails ...) don't get any capability.
Unlike other v12n solutions (XEN, UML ..) in linux-vserver there is no
own kernel per context: So we dont allow guests to get capabilities.
Linux-vserver is already available in Debian for a long time (packages
util-vserver, vserver-debiantools), recently
linux-image-2.6.16-1-vserver.* entered Debian Sid even as ready-to-run
kernel.
The patch was made by Daniel Hokka Zakrisson. It works quite simple: It
checks if there are capabilities available and uses them. This is the
usual and under normal circumstances the more secure way. If there are
no capabilities available (especially CAP_SYS_RESOURCE, which is
requested by bind) it starts without them. With linux-vserver.org this
way of running bind make it _more_ secure.
The original source of the patch is here:
http://daniel.hozac.com/stuff/bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch
And the source of the patch itself is also to be found at the end of
that mail.
rgds,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
$ cat bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch
diff -Naurp bind-9.2.3.orig/bin/named/unix/os.c
bind-9.2.3/bin/named/unix/os.c
--- bind-9.2.3.orig/bin/named/unix/os.c 2004-11-30 11:04:45.000000000 +0100
+++ bind-9.2.3/bin/named/unix/os.c 2004-12-05 15:24:08.000000000 +0100
@@ -155,9 +155,27 @@ linux_setcaps(unsigned int caps) {
}
}
+static unsigned int
+linux_getcaps(void) {
+ struct __user_cap_header_struct caphead;
+ struct __user_cap_data_struct cap;
+ char strbuf[ISC_STRERRORSIZE];
+
+ memset(&caphead, 0, sizeof(caphead));
+ caphead.version = _LINUX_CAPABILITY_VERSION;
+ caphead.pid = 0;
+ memset(&cap, 0, sizeof(cap));
+ if (syscall(SYS_capget, &caphead, &cap) < 0) {
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ ns_main_earlyfatal("capget failed: %s", strbuf);
+ }
+
+ return cap.permitted;
+}
+
static void
linux_initialprivs(void) {
- unsigned int caps;
+ unsigned int caps, current;
/*
* We don't need most privileges, so we drop them right away.
@@ -166,6 +184,7 @@ linux_initialprivs(void) {
*/
caps = 0;
+ current = linux_getcaps();
/*
* We need to be able to bind() to privileged ports, notably
port 53!
@@ -205,14 +224,15 @@ linux_initialprivs(void) {
* of files, the stack size, data size, and core dump size to
* support named.conf options, this is now being added to test.
*/
- caps |= (1 << CAP_SYS_RESOURCE);
+ if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE))
+ caps |= (1 << CAP_SYS_RESOURCE);
linux_setcaps(caps);
}
static void
linux_minprivs(void) {
- unsigned int caps;
+ unsigned int caps, current;
/*
* Drop all privileges except the ability to bind() to privileged
@@ -223,6 +243,7 @@ linux_minprivs(void) {
*/
caps = 0;
+ current = linux_getcaps();
caps |= (1 << CAP_NET_BIND_SERVICE);
/*
@@ -232,7 +253,8 @@ linux_minprivs(void) {
* of files, the stack size, data size, and core dump size to
* support named.conf options, this is now being added to test.
*/
- caps |= (1 << CAP_SYS_RESOURCE);
+ if ((current & (1 << CAP_SYS_RESOURCE)) == (1 << CAP_SYS_RESOURCE))
+ caps |= (1 << CAP_SYS_RESOURCE);
linux_setcaps(caps);
}
--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.5.0.dfsg-0
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:
bind9-doc_9.5.0.dfsg-0_all.deb
to pool/main/b/bind9/bind9-doc_9.5.0.dfsg-0_all.deb
bind9-host_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/bind9-host_9.5.0.dfsg-0_i386.deb
bind9_9.5.0.dfsg-0.diff.gz
to pool/main/b/bind9/bind9_9.5.0.dfsg-0.diff.gz
bind9_9.5.0.dfsg-0.dsc
to pool/main/b/bind9/bind9_9.5.0.dfsg-0.dsc
bind9_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/bind9_9.5.0.dfsg-0_i386.deb
bind9_9.5.0.dfsg.orig.tar.gz
to pool/main/b/bind9/bind9_9.5.0.dfsg.orig.tar.gz
bind9utils_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/bind9utils_9.5.0.dfsg-0_i386.deb
dnsutils_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/dnsutils_9.5.0.dfsg-0_i386.deb
libbind-dev_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libbind-dev_9.5.0.dfsg-0_i386.deb
libbind9-40_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libbind9-40_9.5.0.dfsg-0_i386.deb
libdns42_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libdns42_9.5.0.dfsg-0_i386.deb
libisc41_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libisc41_9.5.0.dfsg-0_i386.deb
libisccc40_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libisccc40_9.5.0.dfsg-0_i386.deb
libisccfg40_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/libisccfg40_9.5.0.dfsg-0_i386.deb
liblwres40_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/liblwres40_9.5.0.dfsg-0_i386.deb
lwresd_9.5.0.dfsg-0_i386.deb
to pool/main/b/bind9/lwresd_9.5.0.dfsg-0_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <[EMAIL PROTECTED]> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 May 2008 22:05:19 -0600
Source: bind9
Binary: bind9 bind9utils bind9-doc bind9-host libbind-dev libbind9-40 libdns42
libisc41 liblwres40 libisccc40 libisccfg40 dnsutils lwresd
Architecture: all i386 source
Version: 1:9.5.0.dfsg-0
Distribution: experimental
Urgency: low
Maintainer: LaMont Jones <[EMAIL PROTECTED]>
Changed-By: LaMont Jones <[EMAIL PROTECTED]>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
libbind-dev - Static Libraries and Headers used by BIND
libbind9-40 - BIND9 Shared Library used by BIND
libdns42 - DNS Shared Library used by BIND
libisc41 - ISC Shared Library used by BIND
libisccc40 - Command Channel Library used by BIND
libisccfg40 - Config File Handling Library used by BIND
liblwres40 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Closes: 212226 360339 480317
Launchpad-Bugs-Fixed: 227344
Changes:
bind9 (1:9.5.0.dfsg-0) experimental; urgency=low
.
[Internet Software Consortium, Inc]
.
* 9.5.0 release
.
[LaMont Jones]
.
* Only use capabilities if they are present: reprise. Closes: #360339,
#212226
* control: fix dnsutils description to avoid list reformatting. Closes:
#480317
* build: use the correct directories in dh_shlibdeps invocation
* build: turn on dlz. No pgsql or mysql support yet. LP: #227344
Files:
13e1e5c2d7ce04613a46ae3081a845f7 39912 libs optional
libisccfg40_9.5.0.dfsg-0_i386.deb
38a653478351b413168eab825bb1003b 254910 doc optional
bind9-doc_9.5.0.dfsg-0_all.deb
3ccf9171bdd3b82ba631e52ea63a2fcd 86704 net optional
bind9utils_9.5.0.dfsg-0_i386.deb
49da3ddf5f8e0978f76da1d86a6d4a4f 1110006 libdevel optional
libbind-dev_9.5.0.dfsg-0_i386.deb
5dc852eaed1241203fc4f9deafcb3a46 251852 net optional bind9_9.5.0.dfsg-0.diff.gz
66f61c817cf35e311dc6a87a05adb28c 23560 libs optional
libisccc40_9.5.0.dfsg-0_i386.deb
6c62b1e108ba916e1d689403d102209a 523012 libs standard
libdns42_9.5.0.dfsg-0_i386.deb
6d5f8ed9c929e8a0ed664e74097d21f4 28490 libs standard
libbind9-40_9.5.0.dfsg-0_i386.deb
9eae230c2563f78c29664c5b2ef87db8 921 net optional bind9_9.5.0.dfsg-0.dsc
86abf364c3afd8ca93d87da7e6a03493 5199051 net optional
bind9_9.5.0.dfsg.orig.tar.gz
941dff457348a3290087672993edec49 40588 libs standard
liblwres40_9.5.0.dfsg-0_i386.deb
b5ceec0ccbefe21f4ef07bf1f729c93b 226936 net optional
bind9_9.5.0.dfsg-0_i386.deb
b7deee514d57449be560e801639af6a0 136882 libs standard
libisc41_9.5.0.dfsg-0_i386.deb
dcb04bc7b00b397c8942e9d97767f2c0 184916 net optional
lwresd_9.5.0.dfsg-0_i386.deb
de74001f854318e44c87a36e950149fc 113582 net standard
dnsutils_9.5.0.dfsg-0_i386.deb
f5be242a9202d9ba2a2c7555dc4b3168 45030 net standard
bind9-host_9.5.0.dfsg-0_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIP4s1zN/kmwoKyScRAh4HAKCK7gSub2cVAs5CzV/e3Sryg7dQtACdGLM4
QN9swnMz1tcJlgQWV76+gUw=
=slyq
-----END PGP SIGNATURE-----
--- End Message ---