named-checkconf insists file is writable when it isn't
Summary
Arch Linux (08/13/2019)... fresh install. No mandatory access controls.
named-checkconf
believes it has write access to a zone file when it does not and, as a result, will not let me use the same file for two different (read only) zones.
BIND version used
wolferz@tiphares /etc/bind $ named -V
BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 5.2.6-arch1-1-ARCH #1 SMP PREEMPT Sun Aug 4 14:58:49 UTC 2019
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--enable-dnsrps' '--with-python=/usr/bin/python' '--with-geoip' '--with-openssl' '--with-libidn2' '--with-libjson' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
compiled by GCC 9.1.0
compiled with OpenSSL version: OpenSSL 1.1.1c 28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
Steps to reproduce
In this case the file in question is the empty.zone
file normally provided by Arch's bind package in /var/named/
. I renamed it and moved it to /etc/bind/db.empty
so that I could make both the file and the folder it's contained in read-only to named
(I need named
to have write permissions in /var/named
). named is configured via systemd unit file to run as the 'named' user which has a primary group of 'named'.
named is not running for the below tests.
wolferz@tiphares ~ $ cd /etc/bind
wolferz@tiphares /etc/bind $ cat /etc/group | grep named
named:x:40:wolferz <--- for testing purposes
wolferz@tiphares /etc/bind $ ls -l
total 28
-rw-r----- 1 root named 407 Jul 17 21:59 db.empty
-rw-r----- 1 root named 533 Aug 14 16:36 named.conf.default-zones
-rw-r----- 1 root named 34 Aug 14 14:32 named.conf.local
-rw-r----- 1 root named 7801 Aug 14 14:32 named.conf.logging
-rw-r----- 1 root named 398 Aug 14 14:38 named.conf.options
-rw-r----- 1 root named 1354 Aug 14 14:42 zones.rfc1918
wolferz@tiphares /etc/bind $ ls -ld ./
drwxr-xr-x 1 root named 194 Aug 14 16:36 ./
wolferz@tiphares /etc/bind $ echo '// test' >> /etc/bind/db.empty
zsh: permission denied: /etc/bind/db.empty
wolferz@tiphares /etc/bind $ touch /etc/bind/test
touch: cannot touch '/etc/bind/test': Permission denied
wolferz@tiphares /etc/bind $ named-checkconf
/etc/bind/named.conf.default-zones:25: writeable file '/etc/bind/db.empty': already in use: /etc/bind/named.conf.default-zones:20
What is the current bug behavior?
wolferz@tiphares /etc/bind $ named-checkconf
/etc/bind/named.conf.default-zones:25: writeable file '/etc/bind/db.empty': already in use: /etc/bind/named.conf.default-zones:20
What is the expected correct behavior?
wolferz@tiphares /etc/bind $ named-checkconf
wolferz@tipheres /etc/bind $
Relevant configuration files
/etc/named.conf
// vim: syntax=named:ts=4:sw=4:et
acl local {
127.0.0.1;
::1;
};
acl annapuma {
123.456.789.012;
};
acl unipuma {
234.567.890.123;
};
acl nameservers {
annapuma;
unipuma;
};
acl ladder {
nameservers;
};
acl scrapyard {
10.5.0.0/16;
fe80::/10;
local;
};
include "/etc/bind/named.conf.logging";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf.options
// vim: syntax=named:ts=4:sw=4:et
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on {
10.5.0.1;
10.5.0.200; // legacy
};
listen-on-v6 {
fe80::230:18ff:fea5:6c27;
};
allow-recursion { scrapyard; };
allow-transfer { none; };
allow-update { local; };
version none;
hostname none;
server-id none;
};
/etc/bind/named.conf.local
// vim: syntax=named:ts=4:sw=4:et
/etc/bind/named.conf.default-zones
// vim: syntax=named:ts=4:sw=4:et
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
};
zone "255.in-addr.arpa" IN {
type master;
file "/etc/bind/db.empty";
};
zone "0.in-addr.arpa" IN {
type master;
file "/etc/bind/db.empty";
};
zone "." IN {
type hint;
file "root.hint";
};
/etc/bind/db.empty
@ 1D IN SOA localhost. root.localhost. (
42 ; serial (yyyymmdd##)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum ttl
1D IN NS localhost.
Relevant logs and/or screenshots
N/A
Possible fixes
Afraid that's a bit out of my depth. Never done much with C.
Possibly related to: #368 (closed)