Commit 16d6fab2 authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý

[master] make writable directory and managed-keys directory mandatory

4769.   [bug]           The working directory and managed-keys directory has
                        to be writeable (and seekable). [RT #46077]
parent 9492533d
4769. [bug] The working directory and managed-keys directory has
to be writeable (and seekable). [RT #46077]
4768. [func] By default, memory is no longer filled with tag values
when it is allocated or freed; this improves
performance but makes debugging of certain memory
......
......@@ -1032,6 +1032,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
directory, isc_result_totext(result));
goto cleanup;
} else if (directory != NULL) {
if (access(directory, W_OK|X_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"managed-keys-directory '%s' "
"is not writable", directory);
result = ISC_R_NOPERM;
goto cleanup;
}
}
CHECK(add_keydata_zone(view, directory, named_g_mctx));
......@@ -6150,6 +6159,14 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
"option 'directory' contains relative path '%s'",
directory);
if (access(directory, W_OK|X_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"directory '%s' is not writable",
directory);
return (ISC_R_NOPERM);
}
result = isc_dir_chdir(directory);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
......
......@@ -10,9 +10,9 @@ with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
ns1 is the root server that offers new KSKs and hosts one record for
testing. The TTL for the zone's records is 2 seconds.
ns2 is a validator uses managed-keys.
"named -T rfc5011holddown=4" switch is used so it will attempt to do
the automated updates frequently.
ns2 is a validator that uses managed-keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
ns3 is a validator with a broken key in managed-keys.
......
......@@ -6,6 +6,11 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f ns2/named.conf
rm -f */named.memstats
rm -f */named*.run
rm -f ns*/named.lock ns*/named*.pid ns*/other.lock
rm -f *.pid
rm -f rndc.out*
[ -d ns2/nope ] && chmod 755 ns2/nope
rm -rf ns2/nope
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
directory "./nope";
port 5300;
pid-file "../named4.pid";
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
recursion no;
};
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/.
*/
options {
managed-keys-directory "./nope";
port 5300;
pid-file "../named4.pid";
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
recursion no;
};
......@@ -21,3 +21,13 @@ options {
dnssec-enable no;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
......@@ -10,3 +10,8 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
cp ns2/named1.conf ns2/named.conf
mkdir ns2/nope
chmod 555 ns2/nope
......@@ -20,17 +20,15 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
if [ ! "$CYGWIN" ]; then
n=`expr $n + 1`
echo "I:verifying that named checks for conflicting listeners ($n)"
ret=0
(cd ns2; $NAMED -c named-alt1.conf -D ns2-extra-1 -X other.lock -m record,size,mctx -d 99 -g -U 4 >> named2.run 2>&1 & )
sleep 2
grep "unable to listen on any configured interface" ns2/named2.run > /dev/null || ret=1
[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:verifying that named checks for conflicting listeners ($n)"
ret=0
(cd ns2; $NAMED -c named-alt1.conf -D ns2-extra-1 -X other.lock -m record,size,mctx -d 99 -g -U 4 >> named2.run 2>&1 & )
sleep 2
grep "unable to listen on any configured interface" ns2/named2.run > /dev/null || ret=1
[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
fi
n=`expr $n + 1`
......@@ -53,6 +51,51 @@ grep "another named process" ns2/named4.run > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
ret=0
cp -f ns2/named-alt4.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
sleep 1
grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
ret=0
cp -f ns2/named-alt5.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
sleep 1
grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: checking that named refuses to start if working directory is not writable ($n)"
ret=0
cd ns2
$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
sleep 2
grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
[ -s named4.pid ] && kill -15 `cat named4.pid` > /dev/null 2>&1
cd ..
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
ret=0
cd ns2
$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
sleep 2
grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
[ -s named5.pid ] && kill -15 `cat named5.pid` > /dev/null 2>&1
cd ..
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -4670,17 +4670,16 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<listitem>
<para>
The working directory of the server.
Any non-absolute pathnames in the configuration file will be
taken
as relative to this directory. The default location for most
server
output files (e.g. <filename>named.run</filename>)
is this directory.
Any non-absolute pathnames in the configuration file will
be taken as relative to this directory. The default
location for most server output files
(e.g. <filename>named.run</filename>) is this directory.
If a directory is not specified, the working directory
defaults to `<filename>.</filename>', the directory from
which the server
was started. The directory specified should be an absolute
path.
which the server was started. The directory specified
should be an absolute path, and <emphasis>must</emphasis>
be writable by the effective user ID of the
<command>named</command> process.
</para>
</listitem>
</varlistentry>
......@@ -4957,7 +4956,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<para>
Specifies the directory in which to store the files that
track managed DNSSEC keys. By default, this is the working
directory.
directory. The directory <emphasis>must</emphasis>
be writable by the effective user ID of the
<command>named</command> process.
</para>
<para>
If <command>named</command> is not configured to use views,
......
......@@ -483,6 +483,15 @@
anchor is now a fatal configuration error. [RT #46155]
</para>
</listitem>
<listitem>
<para>
<command>named</command> will no longer start or accept
reconfiguration if the working directory (specified by the
<command>directory</command> option) or the managed-keys
directory (specified by <command>managed-keys-directory</command>
are not writable by the effective user ID. [RT #46077]
</para>
</listitem>
<listitem>
<para>
Previously, <command>update-policy local;</command> accepted
......
......@@ -566,7 +566,8 @@ parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
if (result != ISC_R_SUCCESS) {
/* Parsing failed but no errors have been logged. */
cfg_parser_error(pctx, 0, "parsing failed");
cfg_parser_error(pctx, 0, "parsing failed: %s",
isc_result_totext(result));
goto cleanup;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment