Bind > 9.12 Will Not Start On FreeBSD

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bind > 9.12 Will Not Start On FreeBSD

Tim Daneliuk
Running:  FreeBSD 11.2-STABLE #0 r345904

Bind 9.11 works fine.  If I attempt to install 9.12 or greater, the
installation succeeds but any attempt to start the daemon fails silently.
Output of 'sh -x /usr/local/rc.d/named start' follows below.

Any thoughts or pointers would be deeply appreciated...

----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

bind-nostart.txt (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bind > 9.12 Will Not Start On FreeBSD

Anand Buddhdev
On 27/04/2019 21:52, Tim Daneliuk wrote:

Hi Tim,

> Running:  FreeBSD 11.2-STABLE #0 r345904
>
> Bind 9.11 works fine.  If I attempt to install 9.12 or greater, the
> installation succeeds but any attempt to start the daemon fails silently.
> Output of 'sh -x /usr/local/rc.d/named start' follows below.

This doesn't show anything useful. BIND usually logs to syslog when
starting up. Check your syslog - you may find more useful messages in there.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind > 9.12 Will Not Start On FreeBSD

Tim Daneliuk
On 4/27/19 3:33 PM, Anand Buddhdev wrote:

> On 27/04/2019 21:52, Tim Daneliuk wrote:
>
> Hi Tim,
>
>> Running:  FreeBSD 11.2-STABLE #0 r345904
>>
>> Bind 9.11 works fine.  If I attempt to install 9.12 or greater, the
>> installation succeeds but any attempt to start the daemon fails silently.
>> Output of 'sh -x /usr/local/rc.d/named start' follows below.
>
> This doesn't show anything useful. BIND usually logs to syslog when
> starting up. Check your syslog - you may find more useful messages in there.
>
> Regards,
> Anand
>

D'oh ... I didn't even think of that (and I should have).

It appears to have been a file ownership problem with some files in
/usr/local/etc/named ... but it's weird.  First of all, all files in there
were group and world readable.  Why is 9.12+ now suddenly so grumpy about
who owns the files?  Is this a recent fix to reduce the attack surface
on files owned by root?

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind > 9.12 Will Not Start On FreeBSD

@lbutlr
On 27 Apr 2019, at 16:21, Tim Daneliuk <[hidden email]> wrote:
> Why is 9.12+ now suddenly so grumpy about who owns the files?  Is this a recent fix to reduce the attack surface on files owned by root?

Pretty sure. I thought it was mentioned in the 9.12 release notes, but now I can't find it.


--
One of the most basic rules of survival on any planet is never to upset
someone wearing black leather. --The Last Continent


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind > 9.12 Will Not Start On FreeBSD

Tim Daneliuk
On 4/27/19 5:33 PM, @lbutlr wrote:
> On 27 Apr 2019, at 16:21, Tim Daneliuk <[hidden email]> wrote:
>> Why is 9.12+ now suddenly so grumpy about who owns the files?  Is this a recent fix to reduce the attack surface on files owned by root?
>
> Pretty sure. I thought it was mentioned in the 9.12 release notes, but now I can't find it.
>
>

Possibly relevant:


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223842

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind > 9.12 Will Not Start On FreeBSD

Doug Barton
On 4/27/19 9:22 PM, Tim Daneliuk wrote:

> On 4/27/19 5:33 PM, @lbutlr wrote:
>> On 27 Apr 2019, at 16:21, Tim Daneliuk <[hidden email]> wrote:
>>> Why is 9.12+ now suddenly so grumpy about who owns the files?  Is this a recent fix to reduce the attack surface on files owned by root?
>>
>> Pretty sure. I thought it was mentioned in the 9.12 release notes, but now I can't find it.
>>
>>
>
> Possibly relevant:
>
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223842

Yes, that's almost certainly it. Sad to see that the FreeBSD ports team
is still doing their usual stellar job of "It's not our problem."

You need to make the directory you define as the working directory
("directory" in named.conf) writable to the named process.

I vaguely recall that I might have had code to make sure that got set
correctly in the rc.conf file back when I was maintaining the BIND
ports, but I can't figure out what they've done to the repo, and I can't
find my old stuff in there.

You're probably better off making your working directory something
that's not named in the mtree file, so that your permissions don't get
"fixed" by it.

hope this helps,

Doug
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users