named running under chroot is not working - mmap returns with EACCESS

English Network/Internet
#1

Hi all,

SuSE 12.1

maybe some one can help - already posted it on the German forum
Starting named using
rcnamed start
the named daemon is shut down at once

If I start the process manually, using
named -t /var/lib/named -u named -g
I’m getting:
28-Nov-2011 16:59:42.267 starting BIND 9.8.1-P1 -t /var/lib/named -u named -g
28-Nov-2011 16:59:42.267 built with ‘–prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’ ‘–libdir=/usr/lib64’ ‘–includedir=/usr/include/bind’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–with-openssl’ ‘–enable-threads’ ‘–with-libtool’ ‘–enable-runidn’ ‘–with-libxml2’ ‘–with-dlz-mysql’ ‘–with-dlz-ldap’ ‘CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -DNO_VERSION_DATE -fno-strict-aliasing’ ‘LDFLAGS=-L/usr/lib64’
28-Nov-2011 16:59:42.267 adjusted limit on open files from 4096 to 1048576
28-Nov-2011 16:59:42.267 found 4 CPUs, using 4 worker threads
28-Nov-2011 16:59:42.269 using up to 4096 sockets
28-Nov-2011 16:59:42.274 initializing DST: openssl failure
28-Nov-2011 16:59:42.274 exiting (due to fatal error)

I digged into the problem using strace:
strace named -t /var/lib/named -u named -g

open("/lib64/engines/libgost.so", O_RDONLY) = 9
read(9, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0”…, 832) = 832
fstat(9, {st_mode=S_IFREG|0555, st_size=97312, …}) = 0
mmap(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9, 0) = -1 EACCES (Permission denied)

what has to be changed in the system to make named woring using chroot jail
Without chroot it is working like a charm.

Please do not open up the system for security reasons - named should still be running under chroot

additional information:
The problem is not related to the option -u named.
problem seemed to be the command line option: -t /var/lib/named

ommitting this option
strace named -u named -g
open("/lib64/engines/libgost.so", O_RDONLY) = 8
read(8, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0”…, 832) = 832
fstat(8, {st_mode=S_IFREG|0555, st_size=97312, …}) = 0
mmap(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0x7f9206d78000
mprotect(0x7f9206d8e000, 2093056, PROT_NONE) = 0

any idea???

thanks
andy

#2

On 11/28/2011 11:56 AM, AndyDiet wrote:
>
> Hi all,
>
> SuSE 12.1
>
> maybe some one can help - already posted it on the German forum
> Starting named using
> rcnamed start
> the named daemon is shut down at once
>
>
> If I start the process manually, using
> NAMED -T /VAR/LIB/NAMED -U NAMED -G
> I’m getting:
> 28-Nov-2011 16:59:42.267 starting BIND 9.8.1-P1 -t /var/lib/named -u
> named -g
> 28-Nov-2011 16:59:42.267 built with ‘–prefix=/usr’ ‘–bindir=/usr/bin’
> ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’
> ‘–libdir=/usr/lib64’ ‘–includedir=/usr/include/bind’
> ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–with-openssl’
> ‘–enable-threads’ ‘–with-libtool’ ‘–enable-runidn’ ‘–with-libxml2’
> ‘–with-dlz-mysql’ ‘–with-dlz-ldap’ ‘CFLAGS=-fmessage-length=0 -O2
> -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
> -fasynchronous-unwind-tables -g -DNO_VERSION_DATE -fno-strict-aliasing’
> ‘LDFLAGS=-L/usr/lib64’
> 28-Nov-2011 16:59:42.267 adjusted limit on open files from 4096 to
> 1048576
> 28-Nov-2011 16:59:42.267 found 4 CPUs, using 4 worker threads
> 28-Nov-2011 16:59:42.269 using up to 4096 sockets
> 28-NOV-2011 16:59:42.274 INITIALIZING DST: OPENSSL FAILURE
> 28-Nov-2011 16:59:42.274 exiting (due to fatal error)
>
> I digged into the problem using strace:
> STRACE NAMED -T /VAR/LIB/NAMED -U NAMED -G
> …
> open("/lib64/engines/libgost.so", O_RDONLY) = 9
> read(9,
> “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0”…,
> 832) = 832
> fstat(9, {st_mode=S_IFREG|0555, st_size=97312, …}) = 0
> MMAP(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 9,
> 0) = -1 EACCES (PERMISSION DENIED)
> …
>
> what has to be changed in the system to make named woring using chroot
> jail
> Without chroot it is working like a charm.
>
> Please do not open up the system for security reasons - named should
> still be running under chroot
>
> additional information:
> The problem is not related to the option -u named.
> problem seemed to be the command line option: -t /var/lib/named
>
> ommitting this option
> STRACE NAMED -U NAMED -G
> open("/lib64/engines/libgost.so", O_RDONLY) = 8
> read(8,
> “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000t\0\0\0\0\0\0”…,
> 832) = 832
> fstat(8, {st_mode=S_IFREG|0555, st_size=97312, …}) = 0
> MMAP(NULL, 2192400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8,
> 0) = 0X7F9206D78000
> mprotect(0x7f9206d8e000, 2093056, PROT_NONE) = 0
>
> any idea???
>
> thanks
> andy
>
>

andy;

I think your problem is related to this Mandriva bug:

https://bugs.mageia.org/show_bug.cgi?id=871

For openSuSE the corresponding libraries are: /lib/engines and /lib64/engines. There may be other
directories that need to copied to /var/lib/named.

I hope this points you in the right direction.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

#3

Hi P.V.,

thanks for answering.

problem was not a missing file like in the mandriva bug.
All of the files are in place.

But I found a solution - it’s the configuration of appamor
see https://bugzilla.novell.com/show_bug.cgi?id=731572

andy