Package: bind9
Version: 1:9.8.1.dfsg.P1-4
Severity: normal
I have something like this in my log
Apr 25 20:13:40 romeo named[1483]: dumping master file:
/etc/bind/tmp-MUHtsluL4X: open: permission denied
Apr 25 20:25:03 romeo named[1483]: dumping master file:
/etc/bind/tmp-RLCFvXEOhm: open: permission denied
Apr 25 20:38:49 romeo named[1483]: dumping master file:
/etc/bind/tmp-xt0ALUhGQ6: open: permission denied
Apr 25 20:52:07 romeo named[1483]: dumping master file:
/etc/bind/tmp-pVwpFrKJFp: open: permission denied
It is about 1 such line every 12-15 minutes.
Neverthless bind is working.
root@romeo:~# ls -l /etc | grep bind
drwxr-sr-x 2 root bind 1024 kwi 25 04:20 bind
-rw-r--r-- 1 root root 356 lut 2 22:51 bindresvport.blacklist
root@romeo:/etc# getfacl bind
# file: bind
# owner: root
# group: bind
# flags: -s-
user::rwx
group::r-x
other::r-x
root@romeo:/etc# ps aux | grep named
bind 1483 0.0 4.9 56932 25332 ? Ssl 06:10 0:04
/usr/sbin/named -u bind
Shouldn't bind use /var/lib/bind/ or /var/cache/bind/or /var/tmp/
or /var/tmp/bind/ or /tmp/ or /tmp/bind/ for temporary files ?
Anything but not /etc/bind/ !
/etc should not be modified anyway by any program other than package managment
software
or by explicit administrator action (like manual editing).
What if / (and /usr, /etc), but not /var, is mounted read-only? It clearly will
also be wrong.
This behaviour probably brakes Debian Policy or FHS.
I belive group:bind:r-x is default permission after installing
(confirmed on different server with bind also, but older version),
and was not modified by me.
strace shows nothing usual,
Process 1483 attached with 4 threads - interrupt to quit
[pid 1486] 00:15:46.045364 epoll_wait(8, <unfinished ...>
[pid 1485] 00:15:46.046269 restart_syscall(<... resuming interrupted call ...>
<unfinished ...>
[pid 1484] 00:15:46.046756 futex(0xb6de8050, FUTEX_WAIT_PRIVATE, 4029, NULL
<unfinished ...>
[pid 1483] 00:15:46.047164 rt_sigsuspend([] <unfinished ...>
[pid 1485] 00:25:15.271868 <... restart_syscall resumed> ) = -1 ETIMEDOUT
(Connection timed out)
[pid 1485] 00:25:15.272360 gettimeofday({1335392715, 272437}, NULL) = 0
[pid 1485] 00:25:15.272795 futex(0xb6de8050, FUTEX_WAKE_OP_PRIVATE, 1, 1,
0xb6de804c, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
[pid 1484] 00:25:15.273081 <... futex resumed> ) = 0
[pid 1485] 00:25:15.273301 futex(0xb6de8018, FUTEX_WAKE_PRIVATE, 1 <unfinished
...>
[pid 1484] 00:25:15.273378 futex(0xb6de8018, FUTEX_WAIT_PRIVATE, 2, NULL
<unfinished ...>
[pid 1485] 00:25:15.273607 <... futex resumed> ) = 0
[pid 1484] 00:25:15.273663 <... futex resumed> ) = -1 EAGAIN (Resource
temporarily unavailable)
[pid 1485] 00:25:15.273924 futex(0xb6dea018, FUTEX_WAKE_PRIVATE, 1 <unfinished
...>
[pid 1484] 00:25:15.274053 futex(0xb6de8018, FUTEX_WAKE_PRIVATE, 1 <unfinished
...>
[pid 1485] 00:25:15.274506 <... futex resumed> ) = 0
[pid 1485] 00:25:15.274746 clock_gettime(CLOCK_REALTIME, {1335392715,
274888492}) = 0
[pid 1485] 00:25:15.275060 futex(0xb6dea04c, FUTEX_WAIT_PRIVATE, 3745, {333,
443955508} <unfinished ...>
[pid 1484] 00:25:15.275328 <... futex resumed> ) = 0
[pid 1484] 00:25:15.275487 gettimeofday({1335392715, 275601}, NULL) = 0
[pid 1484] 00:25:15.275705 gettimeofday({1335392715, 275825}, NULL) = 0
[pid 1484] 00:25:15.276035 gettimeofday({1335392715, 276161}, NULL) = 0
[pid 1484] 00:25:15.276381 open("/etc/bind/tmp-raJDvPemx6",
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0666) = -1 EACCES (Permission denied)
[pid 1484] 00:25:15.277064 time(NULL) = 1335392715
[pid 1484] 00:25:15.277382 send(3, "<27>Apr 26 00:25:15 named[1483]:"..., 103,
MSG_NOSIGNAL) = 103
[pid 1484] 00:25:15.278126 gettimeofday({1335392715, 278264}, NULL) = 0
[pid 1484] 00:25:15.278447 gettimeofday({1335392715, 278504}, NULL) = 0
[pid 1484] 00:25:15.278702 futex(0xb6de8050, FUTEX_WAIT_PRIVATE, 4031, NULL
<unfinished ...>
...
meaning that this acction is performed periodically, and nothing external (like
dns requests or zone update)
do not trigger it.
Regards,
Witek
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bind9 depends on:
ii adduser 3.113+nmu1
ii bind9utils 1:9.8.1.dfsg.P1-4
ii debconf [debconf-2.0] 1.5.42
ii libbind9-80 1:9.8.1.dfsg.P1-4
ii libc6 2.13-27
ii libcap2 1:2.22-1
ii libdns81 1:9.8.1.dfsg.P1-4
ii libgssapi-krb5-2 1.10+dfsg~beta1-2
ii libisc83 1:9.8.1.dfsg.P1-4
ii libisccc80 1:9.8.1.dfsg.P1-4
ii libisccfg82 1:9.8.1.dfsg.P1-4
ii liblwres80 1:9.8.1.dfsg.P1-4
ii libssl1.0.0 1.0.1a-3
ii libxml2 2.7.8.dfsg-7
ii lsb-base 4.1+Debian0
ii net-tools 1.60-24.1
ii netbase 4.47
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none>
pn dnsutils 1:9.8.1.dfsg.P1-4
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
acl nfsserver {
149.156.82.205;
};
zone "smp.if.uj.edu.pl" {
type slave;
notify no;
file "db.smp.if.uj.edu.pl";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
zone "kolo.smp.if.uj.edu.pl" {
type slave;
notify no;
file "db.kolo.smp.if.uj.edu.pl";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
/*
zone "semp.shell.la" {
type slave;
notify no;
file "/etc/bind/db.semp.shel.la";
masters { 149.156.82.205; };
allow-transfer { nfsserver; };
};
*/
zone "10.in-addr.arpa" {
type slave;
notify no;
file "db.10";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
zone "2.0.10.in-addr.arpa" {
type slave;
notify no;
file "db.10.0.2";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
// za romeo, 2001:470:1f0b:527::/64
zone "7.2.5.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
type slave;
notify no;
file "db.ipv6.rev.romeo.7.2.5.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
// za noisy, 2001:470:1f0b:e05::/64
zone "5.0.e.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
type slave;
notify no;
file
"/etc/bind/db.ipv6.rev.noisy.5.0.e.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
/*
// za nfsserver, 2001:470:1f14:14aa::/64
zone "a.a.4.1.4.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
type slave;
notify no;
file
"/etc/bind/db.ipv6.rev.nfsserver.a.a.4.1.4.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa";
masters { 149.156.82.205; };
allow-notify { nfsserver; };
};
*/
// oszukujemy ze mamy cdn.debian.net :)
zone "cdn.debian.net" {
type master;
notify no;
file "/etc/bind/db.cdn.debian.net";
allow-transfer { nfsserver; };
};
// google
// tserv6.fra1.ipv6.he.net is
// 216.66.80.30
// 2001:470:0:69::2
zone "google.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "gogole.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "googel.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "igoogle.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "google.pl" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "google.de" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "google.ch" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "google.se" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "google.net" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "google.co.uk" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "gmodule.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "gmodules.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "gmail.com" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "youtube.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "youtube.pl" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "ytimg.com" in { type forward; forwarders { 216.66.80.30; }; forward only;
};
zone "google-analytics.com" in { type forward; forwarders { 216.66.80.30; };
forward only; };
zone "googlesyndication.com" in { type forward; forwarders { 216.66.80.30; };
forward only; };
zone "googletagservices.com" in { type forward; forwarders { 216.66.80.30; };
forward only; };
zone "adsense.net" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "adwords.net" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "adwords.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
zone "android.com" in { type forward; forwarders { 216.66.80.30; }; forward
only; };
/etc/bind/named.conf.options changed:
acl internals {
10.0.0.0/16;
149.156.82.0/24;
127.0.0.0/8;
// localhost
::1;
// nfsserver
2001:470:1f14:14aa::/64;
// romeo
2001:470:1f0a:527::2;
// za romeo
2001:470:1f0b:527::/64;
// noisy
2001:470:1f0a:e05::2/64;
2001:470:1f0b:e05:1:0:1:1/80;
2001:470:1f0b:e05::1/64;
// za noisy, i noisy
2001:470:1f0b:e05::/64;
// tunel noisy-nfsserver
192.168.1.0/24;
};
// do excludowania przez dns64
acl rfc1918_moje { 10/8; 192.168/16; 172.16/12; };
options {
directory "/var/cache/bind";
// forwarders {
// info.cyf-kr.edu.pl
//149.156.2.12;
// theta.uoks.uj.edu.pl
//149.156.64.210;
// ns.cyf-kr.edu.pl
//149.156.4.11;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-notify { none; }; // domyslnie nie, nadpisywane w konkretnych
zonach
allow-transfer { none; };
allow-query { any; };
allow-query-cache { internals; };
allow-recursion { internals; };
/*
dns64 64:ff9b::/96 {
//clients { any; }
//clients { 10.0.2.0/24; };
clients { 2001:470:1f0b:527::/64; };
mapped { !rfc1918_moje; any; };
exclude { 64:ff9b::/96; ::ffff:0000:0000/96; };
//suffix ::;
};
*/
};
/etc/bind/zones.rfc1918 changed:
//zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
-- debconf information:
bind9/different-configuration-file:
bind9/run-resolvconf: true
bind9/start-as-user: bind
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
