Maintainer scripts mishandle /var/cache/bind permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Debian) |
Fix Released
|
Unknown
|
|||
bind9 (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Affects: 1:9.7.0.
bind9.postinst only sets permissions on
/var/cache/bind on a fresh install. When the bind9 package is removed
but not purged, /var/cache/bind is removed, but /etc/bind is left alone
(as expected). When the bind9 package is reinstalled from this state,
the postinst fails to correct the default 755 permissions on
/var/cache/bind.
This is particularly a problem for users upgrading from Lucid, since this
situation causes 100% CPU usage due to bug 1038199.
Steps to reproduce:
1. Start with a Lucid system
2. apt-get install bind9
3. apt-get remove bind9
4. apt-get install bind9
Note broken permissions in /var/cache/bind.
This isn't directly reproducible in Raring because files are now
left behind in /var/cache/bind causing /var/cache/bind to not be removed
when the package is removed (is this a separate bug?)
However, if from Lucid you then do:
5. do-release-upgrade
Then the problem propagates to Raring, and you'll see bug 1038199 (100% CPU usage).
Workaround:
# chown root.bind /var/cache/bind
# chmod 775 /var/cache/bind
# service bind9 restart
Logs from the upgraded machine (see 'working directory not writeable' and 'permission denied')
05-Dec-2012 12:23:35.719 found 2 CPUs, using 2 worker threads
05-Dec-2012 12:23:35.720 using up to 4096 sockets
05-Dec-2012 12:23:35.726 loading configuration from '/etc/bind/
05-Dec-2012 12:23:35.727 reading built-in trusted keys from file '/etc/bind/
05-Dec-2012 12:23:35.727 using default UDP/IPv4 port range: [1024, 65535]
05-Dec-2012 12:23:35.728 using default UDP/IPv6 port range: [1024, 65535]
05-Dec-2012 12:23:35.729 listening on IPv6 interfaces, port 53
05-Dec-2012 12:23:35.731 listening on IPv4 interface lo, 127.0.0.1#53
05-Dec-2012 12:23:35.732 listening on IPv4 interface eth0, 10.40.0.5#53
05-Dec-2012 12:23:35.734 listening on IPv4 interface eth1, 10.157.128.1#53
05-Dec-2012 12:23:35.735 listening on IPv4 interface eth1, 10.161.208.1#53
05-Dec-2012 12:23:35.736 listening on IPv4 interface eth0.60, 10.157.16.12#53
05-Dec-2012 12:23:35.738 generating session key for dynamic DNS
05-Dec-2012 12:23:35.738 sizing zone task pool based on 7 zones
05-Dec-2012 12:23:35.744 using built-in root key for view _default
05-Dec-2012 12:23:35.744 set up managed keys zone for view _default, file 'managed-keys.bind'
05-Dec-2012 12:23:35.744 Warning: 'empty-
05-Dec-2012 12:23:35.744 automatic empty zone: 254.169.
05-Dec-2012 12:23:35.744 automatic empty zone: 2.0.192.
05-Dec-2012 12:23:35.744 automatic empty zone: 100.51.
05-Dec-2012 12:23:35.744 automatic empty zone: 113.0.203.
05-Dec-2012 12:23:35.744 automatic empty zone: 255.255.
05-Dec-2012 12:23:35.744 automatic empty zone: 0.0.0.0.
05-Dec-2012 12:23:35.744 automatic empty zone: 1.0.0.0.
05-Dec-2012 12:23:35.744 automatic empty zone: D.F.IP6.ARPA
05-Dec-2012 12:23:35.744 automatic empty zone: 8.E.F.IP6.ARPA
05-Dec-2012 12:23:35.744 automatic empty zone: 9.E.F.IP6.ARPA
05-Dec-2012 12:23:35.744 automatic empty zone: A.E.F.IP6.ARPA
05-Dec-2012 12:23:35.744 automatic empty zone: B.E.F.IP6.ARPA
05-Dec-2012 12:23:35.744 automatic empty zone: 8.B.D.0.
05-Dec-2012 12:23:35.749 command channel listening on 127.0.0.1#953
05-Dec-2012 12:23:35.749 command channel listening on ::1#953
05-Dec-2012 12:23:35.749 the working directory is not writable
05-Dec-2012 12:23:35.749 ignoring config file logging statement due to -g option
05-Dec-2012 12:23:35.750 zone 0.in-addr.arpa/IN: loaded serial 1
05-Dec-2012 12:23:35.750 zone 157.10.
05-Dec-2012 12:23:35.751 zone 127.in-
05-Dec-2012 12:23:35.752 zone 255.in-
05-Dec-2012 12:23:35.753 zone extility.
05-Dec-2012 12:23:35.754 zone localhost/IN: loaded serial 2
05-Dec-2012 12:23:35.754 managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
05-Dec-2012 12:23:35.754 managed-
05-Dec-2012 12:23:35.754 managed-keys-zone ./IN: sync_keyzone:
description: | updated |
Changed in bind9 (Debian): | |
status: | Unknown → New |
description: | updated |
Changed in bind9 (Debian): | |
status: | New → Fix Released |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
I've not been able to reproduce this when upgrading from Lucid to Precise (1:9.7. 0.dfsg. P1-1ubuntu0. 8 to 1:9.8.1. dfsg.P1- 4ubuntu0. 4). /var/cache/bind had the correct (775) permissions. If I remove its contents and change the permissions to 755, then I do see the 100% CPU usage and the error in the log file that you've reported. But what I don't see is how to get the permissions to the erroneous 755 in the first place - simply installing bind9 in Lucid and upgrading to Precise doesn't seem to do it.
Are you sure that the permissions weren't already wrong due to a local misconfiguration before you upgraded?
Marking as Incomplete for now. If you manage to figure out how to reproduce this problem, please comment and change the bug status back to New.