Bug#1024416: unbound does not restart reliably under sysvinit with apparmor in enforcing mode

g1 Sat, 19 Nov 2022 00:03:21 -0800

Package: unbound
Version: 1.13.1-1
Severity: normal
Tags: patch
X-Debbugs-Cc: g...@libero.it


Hi

With the apparmor profile shipped with unbound, /usr/sbin/unbound is
allowed to truncate and create its own pidfile /run/unbound.pid, but
cannot remove it at exit or rewrite it when it starts again.

As a consequence, "start-stop-daemon --stop" leaves behind an empty pidfile,
and a subsequent "start-stop-daemon --start" spawns a new daemon whose
pid is written nowhere.  The overall result is that N invocations of
"/etc/init.d/unbound restart" end up with N-1 daemons running, with
obvious implications for security.

In #947771 Stephane Lapie and Gedalya suggested a simple patch that
solves the problem.  That bug report was closed as "problem solved",
without actually applying the patch, probably because I failed to clearly
explain how to reproduce the issue.

Please, do not close this report unless, on a system managed by
sysvinit-core with apparmor in enforcing mode, exactly one instance of
unbound is left running after invoking "/etc/init.d/unbound restart"
at least four times in a row.

Since 2020, I've been applying the following patch against the script
shipped by the debian package at each new release, again and again.
Hope it can be included for real in the debian tree.

Best regards,
        g.

--- /etc/init.d/unbound.dpkg-dist       2021-02-09 23:53:57.000000000 +0100
+++ /etc/init.d/unbound 2022-11-19 08:28:58.429007869 +0100
@@ -42,7 +42,7 @@
 
     stop)
         log_daemon_msg "Stopping $DESC" "$NAME"
-        if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name 
$NAME --retry 5; then
+        if start-stop-daemon --stop --quiet --oknodo --remove-pidfile 
--pidfile $PIDFILE --name $NAME --retry 5; then
             $HELPER resolvconf_stop
             $HELPER chroot_teardown
             log_end_msg 0
@@ -53,7 +53,7 @@
 
     restart|force-reload)
         log_daemon_msg "Restarting $DESC" "$NAME"
-        start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME 
--retry 5
+        start-stop-daemon --stop --quiet --remove-pidfile --pidfile $PIDFILE 
--name $NAME --retry 5
         $HELPER resolvconf_stop
         if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE 
--name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
             $HELPER chroot_setup

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-19-amd64 (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages unbound depends on:
ii  adduser                    3.118
ii  dns-root-data              2021011101
ii  libc6                      2.31-13+deb11u5
ii  libelogind0 [libsystemd0]  246.9.1-1+debian1
ii  libevent-2.1-7             2.1.12-stable-1
ii  libprotobuf-c1             1.3.3-1+b2
ii  libpython3.9               3.9.2-1
ii  libssl1.1                  1.1.1n-0+deb11u3
ii  lsb-base                   11.1.0
ii  openssl                    1.1.1n-0+deb11u3
ii  unbound-anchor             1.13.1-1

unbound recommends no packages.

Versions of packages unbound suggests:
ii  apparmor  2.13.6-10

-- no debconf information

Bug#1024416: unbound does not restart reliably under sysvinit with apparmor in enforcing mode

Reply via email to