Package: bind9 Version: 9.18.8-1 Severity: normal User: de...@kali.org Usertags: origin-kali
Dear Maintainer, This bug was initially reported against the Kali bug tracker: https://bugs.kali.org/view.php?id=8079#c17121. The issue is that, in Kali Linux, named crashes as it can't access the file etc/openssl/kali.cnf. Here's the interesting part of the strace output: $ sudo strace -e trace=file named --help [...] newfstatat(AT_FDCWD, "/etc/ssl/kali.cnf", {st_mode=S_IFREG|0644, st_size=653, ...}, 0) = 0 openat(AT_FDCWD, "/etc/ssl/kali.cnf", O_RDONLY) = -1 EACCES (Permission denied) tls.c:88: fatal error: RUNTIME_CHECK(OPENSSL_init_ssl((0x00000200L | 0x00000400L | 0x00001000L | 0x00002000L | 0x00004000L) | 0x00000040L, ((void *)0)) == 1) failed --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2631, si_uid=0} --- +++ killed by SIGABRT +++ zsh: IOT instruction sudo strace -e trace=file named --help This is due to the apparmor profile for named, which is pretty restrictive regarding which openssl config files are allowed: debian/extras/apparmor.d/usr.sbin.named -------- # ssl /etc/ssl/openssl.cnf r, I wonder if this part could be relaxed a bit, with something like: # ssl /etc/ssl/*.cnf r, /etc/ssl/*.conf r, To give more context: in Kali Linux we ship the openssl config file at the usual location /etc/ssl/openssl.cnf, but we also have a second file with extra configuration at /etc/ssl/kali.cnf. This second file is included from the main file, using the .include directive. As documented in the openssl config man page (`man 5 config`), the .include directive allows to include *any* location, which doesn't really help here... But the man page also says (more or less) that the standard extension for openssl config files should be .cnf or .conf. The change I suggest above would give more rope to sysadmins (or derivatives like Kali Linux), and would allow named to read any config file, as long as it's located in /etc/ssl and have the .cnf or .conf extension. I looked at other packages and I found that cupsd does something similar: https://salsa.debian.org/printing-team/cups/-/blob/debian/main/debian/local/apparmor-profile Best, Arnaud
