debug to file and reload while !root

Håkan Olsson ho at gbg.netman.se
Wed Aug 25 14:36:09 UTC 1999


Hi!

Does anyone have any thoughts on the following?

I start named for example as 'named -t /var/named -u named -d 99'.

named starts, chroot()'s to /var/named, initializes, which here includes
creating a file for the debugging info, and finally does the setuid() to
pseudo-user 'named'.

After this, reloading the nameserver will cause it to complain of being
unable to (re)open the logfile, after which named will just exit... my
last syslogged lines are:

...
Aug 25 16:02:10 q named[31596]: reloading nameserver
Aug 25 16:02:10 q named[31596]: log_open_stream: open(/var/tmp/named.run)
failed: Permission denied
Aug 25 16:02:10 q named[31596]: log_open_stream: open(/var/tmp/named.run)
failed: Permission denied
Aug 25 16:02:10 q named[31596]: log_open_stream: open(/dev/null) failed:
Permission denied
Aug 25 16:02:10 q named[31596]: couldn't open null channel

After this, named silently dies.

The open fails because the log file was created by root, not the
pseudo-user. A manual 'chown' of the file makes things work again.

Is there any reason why the logging channels are setup before the
setuid()?  I suppose there may very well be, but I can't think of any
such reasons offhand...

I can see a number of solutions; either do the setuid() earlier, which may
cause other initializations that depend of root privs to fail. Or move the
log channel creation after the setui(). Or cause the created log file(s)
to be owned by 'user_name' (as set in ns_main.c). This may be the best
solution, although it would require some modifications to libbind code,
isc/logging.c, perhaps a new call or the inclusion of user and group into
the log_file_desc struct...?

Any thoughts?

//Håkan

PS. This is in 8.2.1, btw.

--
Håkan Olsson           Email: hakan at netman.se   Fax: (+46)31 779 7844
Network Management AB  Tel  : (+46)31 779 7840  Mob: (+46)708 437 337

PGP bits/KeyID  : 1024/CED5D55 1998/02/13 Hakan Olsson <ho at netman.se>
Key fingerprint :     4D 50 9F 03 ED A9 37 BD B6 16 96 59 22 C9 85 1D



More information about the bind-workers mailing list