ports/143550: [PATCH] dns/nsd - Permission related issues with nsd port
Marko Njezic
mrmax063 at maxempire.com
Thu Feb 4 11:00:01 UTC 2010
>Number: 143550
>Category: ports
>Synopsis: [PATCH] dns/nsd - Permission related issues with nsd port
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 04 11:00:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Marko Njezic
>Release: 8.0-RELEASE-p2
>Organization:
MAX Interactive corp.
>Environment:
FreeBSD vmbsd 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan 5 16:02:27 UTC 2010 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
After stopping nsd daemon, its pidfile can't be removed since nsd is not running as root and pidfile is inside root-owned /var/run directory. One solution would be to use the same technique as used in bind, by storing pidfile in separate directory inside /var/run that would be owned by the same user that nsd uses when running.
Also after stopping nsd daemon, it can't store its xfrdfile and diffile inside default /var/db/nsd directory since it's root-owned and nsd is not running as root. The solution is to chown nsd's database directory to the same user that nsd uses when running. The nsd port used to perform chown until port version 3.2.2 when that part was removed from makefile.
It would be nice if nsd startup script would read pidfile location from nsd's configuration file, because if pidfile location is changed (i.e. due to chroot config), startup script would need to be edited by hand, because pidfile location is hard coded.
I've provided patch that fixes above mentioned permission related issues and also modifies nsd startup script to read pidfile location from nsd's configuration.
>How-To-Repeat:
[root at vmbsd]:/root> /usr/local/etc/rc.d/nsd start
Starting nsd.
[root at vmbsd]:/root> /usr/local/etc/rc.d/nsd stop
Merging nsd zone transfer changes to zone files.
nsdc: no patch necessary.
Stopping nsd.
[root at vmbsd]:/root> tail -n 3 /var/log/messages
Feb 4 11:25:11 vmbsd nsd[55043]: signal received, shutting down...
Feb 4 11:25:11 vmbsd nsd[55043]: failed to unlink pidfile /var/run/nsd.pid: Permission denied
Feb 4 11:25:11 vmbsd nsd[55044]: xfrd: Could not open file /var/db/nsd/xfrd.state for writing: Permission denied
>Fix:
Apply the suggested patch file.
Patch attached with submission follows:
diff -Naur nsd.original/Makefile nsd/Makefile
--- nsd.original/Makefile 2010-01-12 01:41:22.000000000 +0100
+++ nsd/Makefile 2010-02-04 10:50:18.000000000 +0100
@@ -19,13 +19,24 @@
USE_RC_SUBR= nsd
NSDUSER?= bind
-NSD_LSD= /var
+NSDGROUP?= bind
+NSDLSDIR= /var
+NSDDBDIR= /var/db/nsd
+NSDRUNDIR= /var/run/nsd
NSDMAX_INT?= 512
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --with-user=${NSDUSER} \
--with-configdir=${PREFIX}/etc/nsd \
- --localstatedir=${NSD_LSD}
+ --localstatedir=${NSDLSDIR} \
+ --with-dbfile=${NSDDBDIR}/nsd.db \
+ --with-pidfile=${NSDRUNDIR}/nsd.pid
+
+SUB_FILES= pkg-install pkg-deinstall
+SUB_LIST+= NSDUSER=${NSDUSER} \
+ NSDGROUP=${NSDGROUP} \
+ NSDDBDIR=${NSDDBDIR} \
+ NSDRUNDIR=${NSDRUNDIR}
USE_OPENSSL= yes
@@ -120,6 +131,7 @@
${INSTALL_DATA} ${WRKSRC}/doc/${f} ${DOCSDIR}/${f}
.endfor
.endif
+ @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
diff -Naur nsd.original/files/nsd.in nsd/files/nsd.in
--- nsd.original/files/nsd.in 2009-01-16 01:30:07.000000000 +0100
+++ nsd/files/nsd.in 2010-02-04 00:39:39.000000000 +0100
@@ -18,7 +18,7 @@
required_files=%%PREFIX%%/etc/nsd/nsd.conf
command=%%PREFIX%%/sbin/${name}
-pidfile=/var/run/${name}.pid
+pidfile=`%%PREFIX%%/sbin/nsd-checkconf -o pidfile %%PREFIX%%/etc/nsd/nsd.conf`
load_rc_config ${name}
diff -Naur nsd.original/files/pkg-deinstall.in nsd/files/pkg-deinstall.in
--- nsd.original/files/pkg-deinstall.in 1970-01-01 01:00:00.000000000 +0100
+++ nsd/files/pkg-deinstall.in 2010-02-04 10:46:15.000000000 +0100
@@ -0,0 +1,17 @@
+#!/bin/sh
+# $FreeBSD$
+
+PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+
+NSDDBDIR=%%NSDDBDIR%%
+NSDRUNDIR=%%NSDRUNDIR%%
+
+if [ "$2" = "POST-DEINSTALL" ]; then
+ echo "=> Deleting ${NSDDBDIR} if empty..."
+ rm -d ${NSDDBDIR} 2>/dev/null || true
+ echo "=> Deleting ${NSDRUNDIR} if empty..."
+ rm -d ${NSDRUNDIR} 2>/dev/null || true
+fi
+
+exit 0
+
diff -Naur nsd.original/files/pkg-install.in nsd/files/pkg-install.in
--- nsd.original/files/pkg-install.in 1970-01-01 01:00:00.000000000 +0100
+++ nsd/files/pkg-install.in 2010-02-04 10:50:37.000000000 +0100
@@ -0,0 +1,20 @@
+#!/bin/sh
+# $FreeBSD$
+
+PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+
+NSDUSER=%%NSDUSER%%
+NSDGROUP=%%NSDGROUP%%
+NSDDBDIR=%%NSDDBDIR%%
+NSDRUNDIR=%%NSDRUNDIR%%
+
+CHOWN="chown"
+INSTALL_DIR="install -d -o ${NSDUSER} -g ${NSDGROUP} -m 0755"
+
+if [ "$2" = "POST-INSTALL" ]; then
+ ${INSTALL_DIR} ${NSDDBDIR} ${NSDRUNDIR}
+ ${CHOWN} -R ${NSDUSER}:${NSDGROUP} ${NSDDBDIR} ${NSDRUNDIR}
+fi
+
+exit 0
+
diff -Naur nsd.original/pkg-message nsd/pkg-message
--- nsd.original/pkg-message 2004-05-29 14:23:56.000000000 +0200
+++ nsd/pkg-message 2010-02-04 10:20:05.000000000 +0100
@@ -2,4 +2,8 @@
* *
* To run nsd from startup, add nsd_enable="YES" to your /etc/rc.conf *
* *
+* Take good care when using nsd commands, since they often need to *
+* be executed as user dedicated to nsd, in order for the files it *
+* touches or creates to have the proper permissions. *
+* *
**************************************************************************
diff -Naur nsd.original/pkg-plist nsd/pkg-plist
--- nsd.original/pkg-plist 2009-05-19 14:44:02.000000000 +0200
+++ nsd/pkg-plist 2010-02-04 10:48:31.000000000 +0100
@@ -6,4 +6,4 @@
sbin/nsd-xfer
sbin/nsdc
sbin/zonec
- at dirrm etc/nsd
+ at dirrmtry etc/nsd
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list