Results 1 to 3 of 3

Thread: named running under chroot is not working - mmap returns with EACCESS

  1. #1

    Default named running under chroot is not working - mmap returns with EACCESS

    Hi all,

    SuSE 12.1

    maybe some one can help - already posted it on the German forum
    Starting named using
    rcnamed start
    the named daemon is shut down at once


    If I start the process manually, using
    named -t /var/lib/named -u named -g
    I'm getting:
    28-Nov-2011 16:59:42.267 starting BIND 9.8.1-P1 -t /var/lib/named -u named -g
    28-Nov-2011 16:59:42.267 built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -DNO_VERSION_DATE -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib64'
    28-Nov-2011 16:59:42.267 adjusted limit on open files from 4096 to 1048576
    28-Nov-2011 16:59:42.267 found 4 CPUs, using 4 worker threads
    28-Nov-2011 16:59:42.269 using up to 4096 sockets
    28-Nov-2011 16:59:42.274 initializing DST: openssl failure
    28-Nov-2011 16:59:42.274 exiting (due to fatal error)

    I digged into the problem using strace:
    strace named -t /var/lib/named -u named -g
    ...
    open("/lib64/engines/libgost.so", O_RDONLY) = 9
    read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0"..., 832) = 832
    fstat(9, {st_mode=S_IFREG|0555, st_size=97312, ...}) = 0
    mmap(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = -1 EACCES (Permission denied)
    ...

    what has to be changed in the system to make named woring using chroot jail
    Without chroot it is working like a charm.

    Please do not open up the system for security reasons - named should still be running under chroot

    additional information:
    The problem is not related to the option -u named.
    problem seemed to be the command line option: -t /var/lib/named

    ommitting this option
    strace named -u named -g
    open("/lib64/engines/libgost.so", O_RDONLY) = 8
    read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0"..., 832) = 832
    fstat(8, {st_mode=S_IFREG|0555, st_size=97312, ...}) = 0
    mmap(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f9206d78000
    mprotect(0x7f9206d8e000, 2093056, PROT_NONE) = 0

    any idea???

    thanks
    andy

  2. #2
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: named running under chroot is not working - mmap returns withEACCESS

    On 11/28/2011 11:56 AM, AndyDiet wrote:
    >
    > Hi all,
    >
    > SuSE 12.1
    >
    > maybe some one can help - already posted it on the German forum
    > Starting named using
    > rcnamed start
    > the named daemon is shut down at once
    >
    >
    > If I start the process manually, using
    > NAMED -T /VAR/LIB/NAMED -U NAMED -G
    > I'm getting:
    > 28-Nov-2011 16:59:42.267 starting BIND 9.8.1-P1 -t /var/lib/named -u
    > named -g
    > 28-Nov-2011 16:59:42.267 built with '--prefix=/usr' '--bindir=/usr/bin'
    > '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var'
    > '--libdir=/usr/lib64' '--includedir=/usr/include/bind'
    > '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl'
    > '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2'
    > '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fmessage-length=0 -O2
    > -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
    > -fasynchronous-unwind-tables -g -DNO_VERSION_DATE -fno-strict-aliasing'
    > 'LDFLAGS=-L/usr/lib64'
    > 28-Nov-2011 16:59:42.267 adjusted limit on open files from 4096 to
    > 1048576
    > 28-Nov-2011 16:59:42.267 found 4 CPUs, using 4 worker threads
    > 28-Nov-2011 16:59:42.269 using up to 4096 sockets
    > 28-NOV-2011 16:59:42.274 INITIALIZING DST: OPENSSL FAILURE
    > 28-Nov-2011 16:59:42.274 exiting (due to fatal error)
    >
    > I digged into the problem using strace:
    > STRACE NAMED -T /VAR/LIB/NAMED -U NAMED -G
    > ..
    > open("/lib64/engines/libgost.so", O_RDONLY) = 9
    > read(9,
    > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0"...,
    > 832) = 832
    > fstat(9, {st_mode=S_IFREG|0555, st_size=97312, ...}) = 0
    > MMAP(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9,
    > 0) = -1 EACCES (PERMISSION DENIED)
    > ..
    >
    > what has to be changed in the system to make named woring using chroot
    > jail
    > Without chroot it is working like a charm.
    >
    > Please do not open up the system for security reasons - named should
    > still be running under chroot
    >
    > additional information:
    > The problem is not related to the option -u named.
    > problem seemed to be the command line option: -t /var/lib/named
    >
    > ommitting this option
    > STRACE NAMED -U NAMED -G
    > open("/lib64/engines/libgost.so", O_RDONLY) = 8
    > read(8,
    > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0"...,
    > 832) = 832
    > fstat(8, {st_mode=S_IFREG|0555, st_size=97312, ...}) = 0
    > MMAP(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8,
    > 0) = 0X7F9206D78000
    > mprotect(0x7f9206d8e000, 2093056, PROT_NONE) = 0
    >
    > any idea???
    >
    > thanks
    > andy
    >
    >


    andy;

    I think your problem is related to this Mandriva bug:

    https://bugs.mageia.org/show_bug.cgi?id=871

    For openSuSE the corresponding libraries are: /lib/engines and /lib64/engines. There may be other
    directories that need to copied to /var/lib/named.

    I hope this points you in the right direction.

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  3. #3

    Default Re: named running under chroot is not working - mmap returns with EACCESS

    Hi P.V.,

    thanks for answering.

    problem was not a missing file like in the mandriva bug.
    All of the files are in place.

    But I found a solution - it's the configuration of appamor
    see https://bugzilla.novell.com/show_bug.cgi?id=731572

    andy

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •