On Fri, May 2, 2008 at 7:54 PM, Alain Spineux <[EMAIL PROTECTED]> wrote:
> On Fri, May 2, 2008 at 5:23 PM, Ralf S. Engelschall <[EMAIL PROTECTED]> wrote:
> > On Fri, May 02, 2008, Alain Spineux wrote:
> >
> > > On Fri, May 2, 2008 at 8:17 AM, Ralf S. Engelschall <[EMAIL PROTECTED]>
> wrote:
> > > > On Fri, May 02, 2008, Alain Spineux wrote:
> > > >
> > > > > [...]
> > > >
> > > > > # /kolab/sbin/named -u kolab-r -g
> > > > > [...]
> > > >
> > > > > controls {
> > > > > unix "/kolab/var/bind/named.ctl"
> > > > > perm 0600 owner 19415 group 19415
> > > > > keys { "rndc-key"; };
> > > > > #inet 127.0.0.1 port 953
> > > > > #allow { 127.0.0.1; }
> > > > > #keys { "rndc-key"; };
> > > > > };
> > > > > [...]
> > > > >
> > > > > Any idea what's wrong ?
> > > >
> > > > Is UID 19415 really the "kolab-r" user?
> > >
> > > Yes :-)
> > >
> > > I looked further and found this is a "capability" problem, I removed
> > > the two call to linux_setcaps in bind-9.4.2/bin/named/unix/os.c
> > > and all (the "bind" and the "chown") the problems diapered.
> > >
> > > I thing this is a bind bug, not openpkg related !
> > > They should setup the correct capabilities for linux platform.
> > >
> > > Any comments ?
> >
> > I would say: please file a bug report with the BIND developer team. If
>
> I will try.
>
>
> > you in parallel could fine out what the _correct_ way is to initialize
> > the Linux capability stuff, I'm also happy to include a patch into the
> > "bind" package to fix this until a fixed new BIND version is released.
> > But just removing the two calls I think might be too extreme. Can the
> > _real_ problem be fixed: the reason why it actually breaks?
>
> I looked at it but didn't find all the "capabilities" to enable !
>
>
> >
> > I've not tested the following, but as a wild guess perhaps the
> > following solves the problem:
>
> I found this too, this solve the chown(), but not the bind() !
> For the bind I simply did a
> # chmod g+w /kolab/var/bind
>
> Then only two small thing tho change until the BIND developer team react :-)
>
I didn't get any answer from bind's Team until now, except the ACK.
Do you plan to fix this in you package ?
> Regards.
>
>
> >
> > Index: bin/named/unix/os.c
> > --- bin/named/unix/os.c.orig 2006-02-04 00:51:38 +0100
> > +++ bin/named/unix/os.c 2008-05-02 17:25:33 +0200
> > @@ -212,6 +212,11 @@
> > caps |= (1 << CAP_SETGID);
> >
> > /*
> > + * Since we call chown, we need this.
> > + */
> > + caps |= (1 << CAP_CHOWN);
> > +
> > + /*
> > * Without this, we run into problems reading a configuration file
> > * owned by a non-root user and non-world-readable on startup.
> > */
> >
> >
> >
> > Ralf S. Engelschall
> > [EMAIL PROTECTED]
> > www.engelschall.com
> >
> > ______________________________________________________________________
> > OpenPKG http://openpkg.org
> > User Communication List openpkg-users@openpkg.org
> >
>
>
>
>
>
> --
> Alain Spineux
> aspineux gmail com
> May the sources be with you
>
--
Alain Spineux
aspineux gmail com
May the sources be with you
______________________________________________________________________
OpenPKG http://openpkg.org
User Communication List openpkg-users@openpkg.org
