[Bug 277950] RUNDIR should not be set in pkg-plist in in dns/knot-resolver

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 277950] RUNDIR should not be set in pkg-plist"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 28 Mar 2024 19:32:33 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277950

--- Comment #2 from Michael Grimm <trashcan@ellael.org> ---
(In reply to Leo Vandewoestijne from comment #1)

>> kresd will create RUNDIR on a vanilla system anyway and will set 
>> permissions correctly
>
> Yes, but doesn't remove it when uninstalling.
> And so without this line it doesn't pass in poudriere

Ok, I have missed that poudriere testport is complaining.

> The line was modified after PR 267016

Yes, I saw that, namely from 0755 to 0660. And that is the culprit (see below).

> Further these variables exist for use in rc.conf:
>
> kresd_user="kresd"
> kresd_group="kresd"
> kresd_rundir="/var/run/${name}"
>
> Don't they allow what you wish to accomplish ..?

No, not really:

1) I am following these recommendations in rc.conf and drop privileges after 
   starting kresd:

dns> cat /usr/local/etc/knot-resolver/kresd.conf
[snip]
--
-- drop privileges, now
--
user('kresd','kresd')
--
-- create socket file
--
net.listen('/var/run/kresd/control/kresd.sock', nil, { kind = 'control' })
[snip]

2) kresd will create /var/run/kresd (if removed on purpose for demonstration)
   as follows:

dns> rm -r /var/run/kresd

dns> service kresd start
kresd started.

dns> ls -al /var/run | grep kresd
drwx------   3 kresd kresd   6 Mar 28 19:24 kresd
 ^^^

dns> ls -lR /var/run/kresd/
total 18
drwxr-x---  2 kresd kresd        3 Mar 28 19:24 control
-rw-r-----  1 kresd kresd 10485760 Mar 28 19:25 data.mdb
-rw-------  1 root  kresd        5 Mar 28 19:24 kresd.pid
-rw-r-----  1 kresd kresd     8192 Mar 28 19:24 lock.mdb

/var/run/kresd/control:
total 1
srwxr-xr-x  1 kresd kresd 0 Mar 28 19:24 kresd.sock

3) If one re-installes dns/knot-resolver one ends with:

dns> ls -al /var/run | grep kresd
drw-rw----   3 kresd kresd   5 Mar 28 19:32 kresd
 ^^ ^^

4) After restarting kresd one renders kresd useless because of:

Mar 28 19:40:58 <daemon.notice> kresd[90451]: [net   ] bind to
'/var/run/kresd/control/kresd.sock' (UNIX): Permission denied
Mar 28 19:40:58 <daemon.notice> kresd[90451]: [system] error while loading
config: error occurred here (config filename:lineno is at the bottom, if config
is involved):
Mar 28 19:40:58 <daemon.notice> kresd[90451]: stack traceback:
Mar 28 19:40:58 <daemon.notice> kresd[90451]:   [C]: in function 'listen'
Mar 28 19:40:58 <daemon.notice> kresd[90451]:  
/usr/local/etc/knot-resolver/kresd.conf:29: in main chunk
Mar 28 19:40:58 <daemon.notice> kresd[90451]: ERROR: net.listen() failed to
bind (workdir '/var/run/kresd')

5) This error message is repeated every other second until:

dns> chmod 700 /var/run/kresd

! changing /var/run/kresd from 660 back to 700

dns> ps Af | grep kresd
90816  -  SsJ  0:00.01 daemon: /usr/local/sbin/kresd[90831] (daemon)
90831  -  SJ   0:00.06 /usr/local/sbin/kresd -c
/usr/local/etc/knot-resolver/kresd.conf -n -q /var/run/kresd
90833  1  R+J  0:00.00 grep kresd

No more errors logged.


Ok, if one needs RUNDIR, I do propose to set it as follows:

-@dir(%%USERS%%,%%GROUPS%%,0660) %%RUNDIR%%
+@dir(%%USERS%%,%%GROUPS%%,0700) %%RUNDIR%%

HTH and regards,
Michael

-- 
You are receiving this mail because:
You are the assignee for the bug.