Merge branch '1090-fix-unable-to-set-effective-uid-to-0' into 'master'

Resolve "BIND 9.14: unable to set effective uid to 0"

Closes #1090 and #1042

See merge request isc-projects/bind9!3432

CHANGES

@@ -1,3 +1,7 @@
+5394.	[cleanup]	Don't change effective uid/gid in named_os_openfile()
+			if named is already running under specified uid/gid.
+			[GL #1042] [GL #1090]
+
 5393.	[cleanup]	Unused or redundant APIs were removed from libirs.
 			[GL #1758]
 

bin/named/server.c

@@ -7313,7 +7313,8 @@ static isc_result_t
 generate_session_key(const char *filename, const char *keynamestr,
 		     const dns_name_t *keyname, const char *algstr,
 		     const dns_name_t *algname, unsigned int algtype,
-		     uint16_t bits, isc_mem_t *mctx, dns_tsigkey_t **tsigkeyp) {
+		     uint16_t bits, isc_mem_t *mctx, bool first_time,
+		     dns_tsigkey_t **tsigkeyp) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dst_key_t *key = NULL;
 	isc_buffer_t key_txtbuffer;
@@ -7354,7 +7355,7 @@ generate_session_key(const char *filename, const char *keynamestr,
 					NULL, now, now, mctx, NULL, &tsigkey));
 
 	/* Dump the key to the key file. */
-	fp = named_os_openfile(filename, S_IRUSR | S_IWUSR, true);
+	fp = named_os_openfile(filename, S_IRUSR | S_IWUSR, first_time);
 	if (fp == NULL) {
 		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -7405,7 +7406,7 @@ cleanup:
 
 static isc_result_t
 configure_session_key(const cfg_obj_t **maps, named_server_t *server,
-		      isc_mem_t *mctx) {
+		      isc_mem_t *mctx, bool first_time) {
 	const char *keyfile, *keynamestr, *algstr;
 	unsigned int algtype;
 	dns_fixedname_t fname;
@@ -7501,7 +7502,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server,
 
 		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
 					   algname, algtype, bits, mctx,
-					   &server->sessionkey));
+					   first_time, &server->sessionkey));
 	}
 
 	return (result);
@@ -8882,7 +8883,7 @@ load_configuration(const char *filename, named_server_t *server,
 	 * turns out that a session key is really needed but doesn't exist,
 	 * we'll treat it as a fatal error then.
 	 */
-	(void)configure_session_key(maps, server, named_g_mctx);
+	(void)configure_session_key(maps, server, named_g_mctx, first_time);
 
 	/*
 	 * Create the DNSSEC key and signing policies (KASP).

bin/named/unix/os.c

@@ -39,6 +39,7 @@
 #include <isc/result.h>
 #include <isc/strerr.h>
 #include <isc/string.h>
+#include <isc/util.h>
 
 #include <named/globals.h>
 #include <named/main.h>
@@ -414,7 +415,6 @@ named_os_chroot(const char *root) {
 
 void
 named_os_inituserinfo(const char *username) {
-	char strbuf[ISC_STRERRORSIZE];
 	if (username == NULL) {
 		return;
 	}
@@ -431,6 +431,7 @@ named_os_inituserinfo(const char *username) {
 	}
 
 	if (getuid() == 0) {
+		char strbuf[ISC_STRERRORSIZE];
 		if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
 			strerror_r(errno, strbuf, sizeof(strbuf));
 			named_main_earlyfatal("initgroups(): %s", strbuf);
@@ -696,14 +697,21 @@ named_os_openfile(const char *filename, mode_t mode, bool switch_user) {
 	free(f);
 
 	if (switch_user && runas_pw != NULL) {
+		uid_t olduid = getuid();
 		gid_t oldgid = getgid();
+#if HAVE_SYS_CAPABILITY_H
+		REQUIRE(olduid == runas_pw->pw_uid);
+		REQUIRE(oldgid == runas_pw->pw_gid);
+#else /* HAVE_SYS_CAPABILITY_H */
 		/* Set UID/GID to the one we'll be running with eventually */
 		setperms(runas_pw->pw_uid, runas_pw->pw_gid);
-
+#endif
 		fd = safe_open(filename, mode, false);
 
-		/* Restore UID/GID to root */
-		setperms(0, oldgid);
+#if !HAVE_SYS_CAPABILITY_H
+		/* Restore UID/GID to previous uid/gid */
+		setperms(olduid, oldgid);
+#endif
 
 		if (fd == -1) {
 			fd = safe_open(filename, mode, false);

doc/arm/notes-9.17.2.xml

@@ -66,7 +66,11 @@
     <itemizedlist>
       <listitem>
         <para>
-          None.
+          When running on a system with Linux capabilities support,
+          <command>named</command> drops root privileges very soon after system
+          startup. This was causing a spurious log message, <quote>unable to set
+          effective uid to 0: Operation not permitted</quote>, which has now been
+          silenced. [GL #1042] [GL #1090]
         </para>
       </listitem>
     </itemizedlist>