[v9_11] require writable managed keys directory

4769.	[bug]		Enforce the requirement that the managed keys
			directory (specified by "managed-keys-directory",
			and defaulting to the working directory if not
			specified) must be writable. [RT #46077]

CHANGES

@@ -12,6 +12,11 @@
 			to be used frequently for root-server
 			addresses, which triggered re-priming. [RT #45241]
 
+4769.	[bug]		Enforce the requirement that the managed keys
+			directory (specified by "managed-keys-directory",
+			and defaulting to the working directory if not
+			specified) must be writable. [RT #46077]
+
 4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
 
 4763.	[contrib]	Improve compatibility when building MySQL DLZ

bin/named/server.c

@@ -152,6 +152,12 @@
 #define EXCLBUFFERS 4096
 #endif /* TUNE_LARGE */
 
+#ifdef WIN32
+#define DIR_PERM_OK W_OK
+#else
+#define DIR_PERM_OK W_OK|X_OK
+#endif
+
 /*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
@@ -893,6 +899,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *obj = NULL;
 	const char *directory;
+	isc_boolean_t need_mkey_dir = ISC_FALSE;
 	int i = 0;
 
 	/* We don't need trust anchors for the _bind view */
@@ -1017,11 +1024,14 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	/*
 	 * Add key zone for managed-keys.
 	 */
+	need_mkey_dir = ISC_TF(auto_root || view_managed_keys != NULL);
+
 	obj = NULL;
 	(void)ns_config_get(maps, "managed-keys-directory", &obj);
 	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
-	if (directory != NULL)
+	if (directory != NULL) {
 		result = isc_file_isdirectory(directory);
+	}
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -1029,7 +1039,37 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			      directory, isc_result_totext(result));
 		goto cleanup;
 
+	} else if (need_mkey_dir && directory != NULL) {
+		if (access(directory, DIR_PERM_OK) != 0) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "managed-keys-directory '%s' "
+				      "is not writable", directory);
+			result = ISC_R_NOPERM;
+			goto cleanup;
+		}
+	} else if (need_mkey_dir) {
+		char cwd[PATH_MAX];
+
+		if (getcwd(cwd, sizeof(cwd)) == NULL) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "unable to retrieve "
+				      "current working directory");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (access(cwd, DIR_PERM_OK) != 0) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "working directory '%s' "
+				      "is not writable", cwd);
+			result = ISC_R_NOPERM;
+			goto cleanup;
+		}
 	}
+
 	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
 
   cleanup:
@@ -7995,7 +8035,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	/*
 	 * Check that the working directory is writable.
 	 */
-	if (access(".", W_OK) != 0) {
+	if (access(".", DIR_PERM_OK) != 0) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "the working directory is not writable");

bin/tests/system/mkeys/README

@@ -10,9 +10,9 @@ with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
 ns1 is the root server that offers new KSKs and hosts one record for
 testing. The TTL for the zone's records is 2 seconds.
 
-ns2 is a validator uses managed-keys.
-"named -T rfc5011holddown=4" switch is used so it will attempt to do
-the automated updates frequently.
+ns2 is a validator that uses managed-keys.  "-T mkeytimers=2/20/40"
+is used so it will attempt do automated updates frequently. "-T tat=1"
+is used so it will send TAT queries once per second.
 
 ns3 is a validator with a broken key in managed-keys.
 

bin/tests/system/runtime/clean.sh

@@ -6,6 +6,12 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+rm -f ns2/named.conf
 rm -f */named.memstats
 rm -f */named*.run
 rm -f ns*/named.lock ns*/named*.pid ns*/other.lock
+rm -f *.pid
+rm -f rndc.out*
+[ -d ns2/nope ] && chmod 755 ns2/nope
+rm -rf ns2/nope
+rm -f ns2/dir ns2/nopedir ns2/mkd ns2/nopemkd

bin/tests/system/runtime/ns2/named-alt1.conf

@@ -21,3 +21,12 @@ options {
 	dnssec-enable no;
 	dnssec-validation no;
 };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named-alt2.conf

@@ -21,3 +21,12 @@ options {
 	dnssec-enable no;
 	dnssec-validation no;
 };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named-alt3.conf

@@ -22,3 +22,12 @@ options {
 	dnssec-enable no;
 	dnssec-validation no;
 };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named-alt4.conf

@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+        include "dir";
+	include "nopemkd";
+        port 5300;
+        pid-file "../named4.pid";
+        listen-on { 127.0.0.1; };
+        listen-on-v6 { none; };
+        recursion yes;
+        dnssec-validation auto;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named-alt5.conf

@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+        include "nopedir";
+        port 5300;
+        pid-file "../named5.pid";
+        listen-on { 127.0.0.1; };
+        listen-on-v6 { none; };
+        recursion no;
+        dnssec-validation auto;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named-alt6.conf

@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+        include "../nopedir";
+	include "mkd";
+        port 5300;
+        pid-file "../named6.pid";
+        listen-on { 127.0.0.1; };
+        listen-on-v6 { none; };
+        recursion no;
+        dnssec-validation auto;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/ns2/named1.conf

@@ -21,3 +21,12 @@ options {
 	dnssec-enable no;
 	dnssec-validation no;
 };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};

bin/tests/system/runtime/setup.sh

@@ -10,3 +10,12 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 $SHELL clean.sh 
+
+cp ns2/named1.conf ns2/named.conf
+
+mkdir ns2/nope
+chmod 555 ns2/nope
+echo "directory \"`pwd`/ns2\";" > ns2/dir
+echo "directory \"`pwd`/ns2/nope\";" > ns2/nopedir
+echo "managed-keys-directory \"`pwd`/ns2\";" > ns2/mkd
+echo "managed-keys-directory \"`pwd`/ns2/nope\";" > ns2/nopemkd

bin/tests/system/runtime/tests.sh

@@ -20,17 +20,15 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 if [ ! "$CYGWIN" ]; then
-
-n=`expr $n + 1`
-echo "I:verifying that named checks for conflicting listeners ($n)"
-ret=0
-(cd ns2; $NAMED -c named-alt1.conf -D ns2-extra-1 -X other.lock -m record,size,mctx -d 99 -g -U 4 >> named2.run 2>&1 & )
-sleep 2
-grep "unable to listen on any configured interface" ns2/named2.run > /dev/null || ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
+    n=`expr $n + 1`
+    echo "I:verifying that named checks for conflicting listeners ($n)"
+    ret=0
+    (cd ns2; $NAMED -c named-alt1.conf -D ns2-extra-1 -X other.lock -m record,size,mctx -d 99 -g -U 4 >> named2.run 2>&1 & )
+    sleep 2
+    grep "unable to listen on any configured interface" ns2/named2.run > /dev/null || ret=1
+    [ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
 fi
 
 n=`expr $n + 1`
@@ -53,6 +51,77 @@ grep "another named process" ns2/named4.run > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if managed-keys-directory is set and not writable ($n)"
+ret=0
+cp -f ns2/named-alt4.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "managed-keys-directory '.*' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if managed-keys-directory is unset and working directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt5.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "working directory '.*' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: checking that named reconfigures if working directory is not writable but managed-keys-directory is ($n)"
+ret=0
+cp -f ns2/named-alt6.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I: shutting down existing named"
+[ -s named4.pid ] && kill -15 `cat named4.pid` > /dev/null 2>&1
+[ -s named5.pid ] && kill -15 `cat named5.pid` > /dev/null 2>&1
+[ -s named6.pid ] && kill -15 `cat named6.pid` > /dev/null 2>&1
+
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if managed-keys-directory is set and not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
+[ -s named4.pid ] && kill -15 `cat named4.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if managed-keys-directory is unset and working directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
+[ -s named5.pid ] && kill -15 `cat named5.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I: checking that named starts if managed-keys-directory is writable and working directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt6.conf -d 99 -g > named6.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named6.run > /dev/null || ret=1
+[ -s named6.pid ] && kill -15 `cat named6.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
 
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1

doc/arm/Bv9ARM-book.xml

@@ -4804,17 +4804,17 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <listitem>
 	      <para>
 		The working directory of the server.
-		Any non-absolute pathnames in the configuration file will be
-		taken
-		as relative to this directory. The default location for most
-		server
-		output files (e.g. <filename>named.run</filename>)
-		is this directory.
+		Any non-absolute pathnames in the configuration file will
+		be taken as relative to this directory. The default
+		location for most server output files
+		(e.g. <filename>named.run</filename>) is this directory.
 		If a directory is not specified, the working directory
 		defaults to `<filename>.</filename>', the directory from
-		which the server
-		was started. The directory specified should be an absolute
-		path.
+		which the server was started. The directory specified
+		should be an absolute path. It is
+		<emphasis>strongly recommended</emphasis>
+		that the directory be writable by the effective user
+		ID of the <command>named</command> process.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -5074,7 +5074,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	      <para>
 		Specifies the directory in which to store the files that
 		track managed DNSSEC keys.  By default, this is the working
-		directory.
+		directory.  The directory <emphasis>must</emphasis>
+		be writable by the effective user ID of the
+		<command>named</command> process.
 	      </para>
 	      <para>
 		If <command>named</command> is not configured to use views,

doc/arm/notes.xml

@@ -164,6 +164,17 @@
 	  <filename>bind.keys</filename>. [RT #46155]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  <command>named</command> will no longer start or accept
+	  reconfiguration if <command>managed-keys</command> or
+	  <command>dnssec-validation auto</command> are in use and
+	  the managed-keys directory (specified by
+	  <command>managed-keys-directory</command>, and defaulting
+	  to the working directory if not specified),
+	  is not writable by the effective user ID. [RT #46077]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  Previously, <command>update-policy local;</command> accepted

lib/isccfg/parser.c

@@ -566,7 +566,8 @@ parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 	if (result != ISC_R_SUCCESS) {
 		/* Parsing failed but no errors have been logged. */
-		cfg_parser_error(pctx, 0, "parsing failed");
+		cfg_parser_error(pctx, 0, "parsing failed: %s",
+				 isc_result_totext(result));
 		goto cleanup;
 	}