root.hints - apparmor access error with Bind from PPA
Dear list:
I've used the PPA at https://launchpad.net/~isc/+archive/ubuntu/bind to
upgrade
bind from 9.11.3+dfsg-1ubuntu1.15 (current version for
bionic-{updates,security}) to 9.16.16-2+ubuntu18.04.1+isc+1
(I was needing to use the validate-except clause and this new version
supports it)
After the upgrade, attempting to start the named service failed with
this error:
Jun 3 22:03:53 top named[19946]: could not configure root hints from
'/usr/share/dns/root.hints': permission denied
Right below that apparmor logs this:
Jun 3 22:03:53 top kernel: [17981.067014] audit: type=1400
audit(1622768633.158:559): apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/usr/share/dns/root.hints" pid=19946
comm="isc-worker" requested_mask="r" denied_mask="r" fsuid=129 ouid=0
What's puzzling is that the apparmor profile apparently allows the read
@ line 36:
find /etc/apparmor.d -type f | xargs grep -n '/usr/share/dns'
/etc/apparmor.d/usr.sbin.named:36: /usr/share/dns/root.* r,
dpkg -S /etc/apparmor.d/usr.sbin.named
bind9: /etc/apparmor.d/usr.sbin.named
apt-cache policy bind9
bind9:
Installed: 1:9.16.16-2+ubuntu18.04.1+isc+1
Candidate: 1:9.16.16-2+ubuntu18.04.1+isc+1
Version table:
*** 1:9.16.16-2+ubuntu18.04.1+isc+1 500
500 http://ppa.launchpad.net/isc/bind/ubuntu bionic/main amd64
Packages
100 /var/lib/dpkg/status
1:9.11.3+dfsg-1ubuntu1.15 500
500 http://mirrors.us.kernel.org/ubuntu bionic-updates/main
amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
1:9.11.3+dfsg-1ubuntu1 500
500 http://mirrors.us.kernel.org/ubuntu bionic/main amd64 Packages
Although the error appears to not be related to file perms, here's for
completeness:
ls -la /usr/share/dns
total 28
drwxr-xr-x 2 root root 55 dic 13 2019 .
drwxr-xr-x 457 root root 12288 jun 3 21:44 ..
-rw-r--r-- 1 root root 166 feb 1 2018 root.ds
-rw-r--r-- 1 root root 3315 feb 1 2018 root.hints
-rw-r--r-- 1 root root 864 feb 1 2018 root.key
It helped me to find a previous report at
https://lists.isc.org/pipermail/bind-users/2020-July/103454.html
And then I ended up solving the problem as Brett did there, by copying
/usr/share/dns to /etc/bind/dns and changing the zone definition.
Still I am reporting this in case it's affecting someone else, and
because maybe you guys have an idea as to what's going on with apparmor
here? I'm not very knowledgeable in it and would appreciate any info /
help to solve the root cause (and maybe learn something).
Thanks in advance
full log:
Jun 3 22:03:53 top systemd[1]: Started BIND Domain Name Server.
Jun 3 22:03:53 top named[19946]: starting BIND 9.16.16-Ubuntu (Stable
Release)
Jun 3 22:03:53 top named[19946]: running on Linux x86_64
5.6.7-050607-generic #202004230933 SMP Thu Apr 23 09:35:28 UTC 2020
Jun 3 22:03:53 top named[19946]: built with '--build=x86_64-linux-gnu'
'--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules' '
--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir
=/' '--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2'
'--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxmin
ddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-' '--disable-native-pkcs11' '--enable-dnstap'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-suAN9q/bind9-9.16.16=. -fstack-protector-s
trong -Wformat -Werror=format-security -fno-strict-aliasing
-fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE'
'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Jun 3 22:03:53 top named[19946]: running as: named -f -u bind
Jun 3 22:03:53 top named[19946]: compiled by GCC 7.5.0
Jun 3 22:03:53 top named[19946]: compiled with OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: linked to OpenSSL version: OpenSSL
1.1.1 11 Sep 2018
Jun 3 22:03:53 top named[19946]: compiled with libxml2 version: 2.9.4
Jun 3 22:03:53 top named[19946]: linked to libxml2 version: 20904
Jun 3 22:03:53 top named[19946]: compiled with json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: linked to json-c version: 0.12.1
Jun 3 22:03:53 top named[19946]: compiled with zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]: linked to zlib version: 1.2.11
Jun 3 22:03:53 top named[19946]:
Jun 3 22:03:53 top named[19946]: BIND 9 is maintained by Internet
Systems Consortium,
Jun 3 22:03:53 top named[19946]: Inc. (ISC), a
Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
On 6/3/21 7:05 PM, Peter via bind-users wrote: Guess not even a subscription will not happen too. I'm having to try and do Bind on ubuntu and it just will not let me edit files like named.conf unless you do some vodoo that I don't understand and even updating the bind like how? Windows no problem you want to edit a file no problem can't edit a file/folder because of permissions your a admin you can do that too. Bind is easy on windows. That's because I didn't get to add the required security permissions to the Windows implementation for the file/folders that it used. It was an open item on the list to be addressed when I stopped working on it. General users should not be able to edit the files. That's an admin role. On another note when you stop the bind service you get “windows could not stop ISC BIND service on local computer. Error 1067 the process terminated unexpectedly.” wonder if that be the last fix for 9.17.14. I remember that from day 1. I'm not sure if we fixed that on ntpd. How are you stopping named? Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
On 6/3/21 2:17 PM, Reindl Harald wrote: Am 03.06.21 um 20:12 schrieb Danny Mayer via bind-users: I don't speak for ISC but it's important to understand that support of an operating system costs money and unless a company or organization is willing to step up with money it cannot be expected to continue support. There was originally a need and the money for BIND9 on Windows which is why the effort was made. that's an unproven claim Sorry but I was talking about a specific customer who needed it and paid for it. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Deprecating BIND 9.18+ on Windows (or making it community improved and supported
Guess not even a subscription will not happen too. I'm having to try and do Bind on ubuntu and it just will not let me edit files like named.conf unless you do some vodoo that I don't understand and even updating the bind like how? Windows no problem you want to edit a file no problem can't edit a file/folder because of permissions your a admin you can do that too. Bind is easy on windows. On another note when you stop the bind service you get “windows could not stop ISC BIND service on local computer. Error 1067 the process terminated unexpectedly.” wonder if that be the last fix for 9.17.14. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
I am sorry, but I don’t follow. The catch is that the Windows support must be maintained for any new development and it doesn’t come for free. Sometimes we can’t even use what we need because there’s no support on Windows. As an example - we are replacing the internal memory allocator with jemalloc for better thread performance and less memory fragmentation and just adding the library on Windows would be major PITA. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 3. 6. 2021, at 22:14, Peter via bind-users > wrote: > > Maybe they could release a bind for windows ever year with limited support? > But I guess bind will still work long after its not supported which is the > only good thing. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Deprecating BIND 9.18+ on Windows (or making it community improved and supported
Maybe they could release a bind for windows ever year with limited support? But I guess bind will still work long after its not supported which is the only good thing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
Am 03.06.21 um 20:12 schrieb Danny Mayer via bind-users: I don't speak for ISC but it's important to understand that support of an operating system costs money and unless a company or organization is willing to step up with money it cannot be expected to continue support. There was originally a need and the money for BIND9 on Windows which is why the effort was made. that's an unproven claim my unproven claim based on expierience is that these days there was a need for named, httpd, php, mysqld and so on on windows these days where virtualization, WSL and containers exists that need is more or less gone On 6/3/21 4:03 AM, Richard T.A. Neal wrote: Thanks Vicky and Ondrej for providing clarity. I'll be sad to see it when this happens but as I said in my original post I don't underestimate the sheer amount of effort required to maintain BIND for Windows going forwards so it's completely understandable that you want to focus on platforms that are the most widely used and best understood by ISC. The retention of the dig client for Windows, even if unsupported, will indeed be welcomed by some. I'll shift my own focus back to BIND on Linux now as well, but I'll retain a tertiary BIND server running 9.16 for Windows just so that I can help out anyone who subsequently downloads and installs BIND for Windows between now and its end-of-support date. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
I don't speak for ISC but it's important to understand that support of an operating system costs money and unless a company or organization is willing to step up with money it cannot be expected to continue support. There was originally a need and the money for BIND9 on Windows which is why the effort was made. FWIW. Danny On 6/3/21 4:03 AM, Richard T.A. Neal wrote: Thanks Vicky and Ondrej for providing clarity. I'll be sad to see it when this happens but as I said in my original post I don't underestimate the sheer amount of effort required to maintain BIND for Windows going forwards so it's completely understandable that you want to focus on platforms that are the most widely used and best understood by ISC. The retention of the dig client for Windows, even if unsupported, will indeed be welcomed by some. I'll shift my own focus back to BIND on Linux now as well, but I'll retain a tertiary BIND server running 9.16 for Windows just so that I can help out anyone who subsequently downloads and installs BIND for Windows between now and its end-of-support date. Best, Richard. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Deprecating BIND 9.18+ on Windows (or making it community improved and supported
Thanks Vicky and Ondrej for providing clarity. I'll be sad to see it when this happens but as I said in my original post I don't underestimate the sheer amount of effort required to maintain BIND for Windows going forwards so it's completely understandable that you want to focus on platforms that are the most widely used and best understood by ISC. The retention of the dig client for Windows, even if unsupported, will indeed be welcomed by some. I'll shift my own focus back to BIND on Linux now as well, but I'll retain a tertiary BIND server running 9.16 for Windows just so that I can help out anyone who subsequently downloads and installs BIND for Windows between now and its end-of-support date. Best, Richard. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
