Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
reassign 584911 openssl 0.9.8g-15+lenny6 Bug #584911 [bind9] bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble I agree that the documentation does not match the behaviour. As far as I know, there never is a reason to remove the world-readable permission, so I'm lowering the severity. The file could contain (default-)passwords (input_password, output_password), and therefore it could sometimes be preferred not to be world-readable. I still don't understand why newer bind9-packages suddenly are so interested in this file, while previous versions seemingly didn't care about it. Best regards, Mirko Gebauer /pre This message contains information which may be confidential and privileged.Unless you br are the intended recipient (or authorized to receive this message for the intended br recipient), you may not use, copy, disseminate or disclose to anyone the message or br any information contained in the message. If you have received the message in error, br please advise the sender by reply e-mail, and delete the message. br Thank you very much. br (A) pre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
On Thu, Jun 10, 2010 at 05:20:42AM -0500, Gebauer, Mirko (FRA-MRM) wrote: reassign 584911 openssl 0.9.8g-15+lenny6 Bug #584911 [bind9] bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble I agree that the documentation does not match the behaviour. As far as I know, there never is a reason to remove the world-readable permission, so I'm lowering the severity. The file could contain (default-)passwords (input_password, output_password), and therefore it could sometimes be preferred not to be world-readable. I can't find any password setting in either the documentation or the code. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
* Mirko Gebauer: I'm still curious why the bug we've stumbled upon in OpenSSL was no issue in previous versions of bind9 in lenny? The switch from BIND 9.5 to BIND 9.6 changed the way the OpenSSL library is initialized. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
* Kurt Roeckx: I can't find any password setting in either the documentation or the code. Uhm, see req(1), for instance: input_password output_password The passwords for the input private key file (if present) and the output private key file (if one will be created). The command line options passin and passout override the configuration file values. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
Thanks Florian, for your prompt responses. And please excuse the ugly e-mail style without proper line wrappings that Outlook (company...) causes in Debian's BTS. I'm still curious why the bug we've stumbled upon in OpenSSL was no issue in previous versions of bind9 in lenny? Best regards, Mirko Gebauer /pre This message contains information which may be confidential and privileged.Unless you br are the intended recipient (or authorized to receive this message for the intended br recipient), you may not use, copy, disseminate or disclose to anyone the message or br any information contained in the message. If you have received the message in error, br please advise the sender by reply e-mail, and delete the message. br Thank you very much. br (A) pre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
severity 584911 important thanks On Tue, Jun 08, 2010 at 09:03:13PM +, Debian Bug Tracking System wrote: Processing commands for cont...@bugs.debian.org: reassign 584911 openssl 0.9.8g-15+lenny6 Bug #584911 [bind9] bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble I agree that the documentation does not match the behaviour. As far as I know, there never is a reason to remove the world-readable permission, so I'm lowering the severity. I should probably move that file to the libssl0.9.8 package. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
On Wed, Jun 9, 2010 at 18:59:37 +0200, Kurt Roeckx wrote: severity 584911 important thanks On Tue, Jun 08, 2010 at 09:03:13PM +, Debian Bug Tracking System wrote: Processing commands for cont...@bugs.debian.org: reassign 584911 openssl 0.9.8g-15+lenny6 Bug #584911 [bind9] bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble I agree that the documentation does not match the behaviour. As far as I know, there never is a reason to remove the world-readable permission, so I'm lowering the severity. I should probably move that file to the libssl0.9.8 package. configuration files in shared library packages are a bad idea. Even worse if they're not versioned. Cheers, Julien signature.asc Description: Digital signature
Bug#584911: [Pkg-openssl-devel] Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
* Kurt Roeckx: severity 584911 important thanks On Tue, Jun 08, 2010 at 09:03:13PM +, Debian Bug Tracking System wrote: Processing commands for cont...@bugs.debian.org: reassign 584911 openssl 0.9.8g-15+lenny6 Bug #584911 [bind9] bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble I agree that the documentation does not match the behaviour. As far as I know, there never is a reason to remove the world-readable permission, so I'm lowering the severity. Yeah, that's appropriate. I should probably move that file to the libssl0.9.8 package. I don't think the location matters. There's only a problem if the file exists, but is not readable. As long as it does not exist, everything should be fine. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
BIND uses the NULL argument, as far as I can tell. So this might be an OpenSSL bug. Well, all I can say is that bind9 as provided by the package version 1:9.5.1.dfsg.P3-1+lenny1 doesn't show the reported behavior, and that both 1:9.5.1.dfsg.P3-1+lenny1 and the current 1:9.6.ESV.R1+dfsg-0+lenny1 depend on the same version of libssl0.9.8. Since I'm not really an expert in building Debian packages, I'll leave the conclusion to people that have more knowledge on the subject than me :-) Best regards, Mirko Gebauer P.S.: This also effects bind9-host (version 1:9.6.ESV.R1+dfsg-0+lenny1); if a user that invokes the host command provided via bind9-host lacks the permission to read the target of /usr/lib/ssl/openssl.cnf, he gets the same nice error feedback. /pre This message contains information which may be confidential and privileged.Unless you br are the intended recipient (or authorized to receive this message for the intended br recipient), you may not use, copy, disseminate or disclose to anyone the message or br any information contained in the message. If you have received the message in error, br please advise the sender by reply e-mail, and delete the message. br Thank you very much. br (A) pre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
reassign 584911 openssl 0.9.8g-15+lenny6
retitle 584911 unreadable /usr/lib/ssl/openssl.cnf file breaks OPENSSL_config
thanks
* Mirko Gebauer:
BIND uses the NULL argument, as far as I can tell. So this might be
an OpenSSL bug.
Well, all I can say is that bind9 as provided by the package version
1:9.5.1.dfsg.P3-1+lenny1 doesn't show the reported behavior, and
that both 1:9.5.1.dfsg.P3-1+lenny1 and the current
1:9.6.ESV.R1+dfsg-0+lenny1 depend on the same version of
libssl0.9.8.
This is a bug in OpenSSL, and it is impossible to work around in
bind9, unfortunately. Here's the relevant exceprt from
ERR_clear_error();
if (CONF_modules_load_file(NULL, config_name,
CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE) = 0)
{
BIO *bio_err;
ERR_load_crypto_strings();
if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
{
BIO_printf(bio_err,Auto configuration failed\n);
ERR_print_errors(bio_err);
BIO_free(bio_err);
}
exit(1);
}
return;
}
The propblem is that it's not ignoring permission errors, in contrast
to what's promised in the manual page. And there doesn't appear to be
a way to bypass that exit(1) call.
I guess the only viable fix is to keep /etc/ss/openssl.cnf
world-readable.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
Package: bind9
Version: 1:9.6.ESV.R1+dfsg-0+lenny1
Severity: serious
(This also seems to affect newer versions of bind9; also tested with
1:9.7.0.dfsg.P1-1~bpo50+1 from backports.)
I had to invest quite some time today in figuring out why the recent security
update for bind9 worked fine on all our systems running lenny, but failed on
the primary DNS server. Unfortunately, the syslog output gives no clue as to
why bind9 fails to start:
07-Jun-2010 15:06:22.132 starting BIND 9.6-ESV-R1 -c /etc/bind/named.conf -g -u
bind
07-Jun-2010 15:06:22.132 built with '--prefix=/usr' '--build=x86_64-linux-gnu'
'--host=x86_64-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var/run/bind' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes'
'--enable-ipv6' 'build_alias=x86_64-linux-gnu' 'host_alias=x86_64-linux-gnu'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
07-Jun-2010 15:06:22.132 adjusted limit on open files from 1024 to 1048576
07-Jun-2010 15:06:22.132 found 4 CPUs, using 4 worker threads
07-Jun-2010 15:06:22.132 using up to 4096 sockets
Running bind9 manually nets the missing information:
# named -c /etc/bind/named.conf -g -u bind
07-Jun-2010 15:06:22.132 starting BIND 9.6-ESV-R1 -c /etc/bind/named.conf -g -u
bind
07-Jun-2010 15:06:22.132 built with '--prefix=/usr' '--build=x86_64-linux-gnu'
'--host=x86_64-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var/run/bind' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes'
'--enable-ipv6' 'build_alias=x86_64-linux-gnu' 'host_alias=x86_64-linux-gnu'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
07-Jun-2010 15:06:22.132 adjusted limit on open files from 1024 to 1048576
07-Jun-2010 15:06:22.132 found 4 CPUs, using 4 worker threads
07-Jun-2010 15:06:22.132 using up to 4096 sockets
Auto configuration failed
140502524483328:error:0200100D:system library:fopen:Permission
denied:bss_file.c:122:fopen('/usr/lib/ssl/openssl.cnf','rb')
140502524483328:error:2006D002:BIO routines:BIO_new_file:system
lib:bss_file.c:127:
140502524483328:error:0E078002:configuration file routines:DEF_LOAD:system
lib:conf_def.c:199:
/usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf, both
provided by the package openssl. Unfortunately, on the respective machine,
/etc/ssl/openssl.cnf is modified and not world-readable as it is by default
after installing the openssl package.
If openssl is not installed and therefore /usr/lib/ssl/openssl.cnf does not
exist (like on our secondary DNS server), everything is fine. But if the file,
or symlink in this case, does exist, but (its target) is not readable for the
user the named process runs as, then *bang*.
I think the point is, bind9 should not expect to be able to read configuration
files from other packages that it not depends on. Also, if a dependency on
openssl is explicit and intentional, then users should be warned if some
configuration files need to be readable by the user the named process runs as.
I clearly was not expecting that there is a connection between bind9 and
openssl whatsoever.
Best regards,
Mirko Gebauer
/pre This message contains information which may be confidential and
privileged.Unless you br
are the intended recipient (or authorized to receive this message for the
intended br
recipient), you may not use, copy, disseminate or disclose to anyone the
message or br
any information contained in the message. If you have received the message in
error, br
please advise the sender by reply e-mail, and delete the message. br
Thank you very much. br
(A) pre
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble
* Mirko Gebauer: /usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf, both provided by the package openssl. Unfortunately, on the respective machine, /etc/ssl/openssl.cnf is modified and not world-readable as it is by default after installing the openssl package. Thanks for tracking this down. I suspect that this is due to the OPENSSL_config() call, but I need to check this in a debugger to be sure. However, OpenSSL's documentation says this: OPENSSL_config() configures OpenSSL using the standard openssl.cnf configuration file name using config_name. If config_name is NULL then the default name openssl_conf will be used. Any errors are ignored. BIND uses the NULL argument, as far as I can tell. So this might be an OpenSSL bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
