search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.62k stars 903 forks source link

auth: pdnsutil makes LMDB files with wrong owner #11060

Open thantzsche opened 2 years ago

thantzsche commented 2 years ago

Short description

When configured with LMDB backend all created lmdb files have initially the owner root instead of pdns and therefore the auth server is at the first start exiting and restarting until the files get manually changed to owner pdns. Adding a zone with "pdnsutil create-zone " creates a new lmdb file with owner root again, which has also to be corrected manually to work.

Environment

Steps to reproduce

  1. pdns.conf: 
    daemon=yes
default-soa-edit=INCEPTION-INCREMENT
launch=lmdb
lmdb-filename=/var/db/pdns/dns00.lmdb
lmdb-sync-mode=sync
local-address=149.220.39.10
loglevel=6
primary=yes
query-local-address=0.0.0.0
security-poll-suffix=
  2. /usr/local/etc/rc.d/pdns start
  3. ls -l /var/db/pdns/
  4. chown pdns /var/db/pdns/*
  5. pdnsutil create-zone check.prv
  6. ls -l /var/db/pdns/
  7. chown pdns /var/db/pdns/*

Expected behaviour

All created lmdb files should have the owner pdns.

Actual behaviour

After step (2) the pdns daemon is filling the log with

Caught an exception instantiating a backend, cleaning up
Exiting because of STL error: Unable to open database file /var/db/pdns/dns00.lmdb: Permission denied
Caught an exception instantiating a backend, cleaning up
Exiting because communicator thread died with STL error: Unable to open database file /var/db/pdns/dns00.lmdb: Permission denied
Our pdns instance exited with code 1, respawning

This ends only after correcting the file owner.

Step (5): after the creation of a zone with pdnsutil, a new lmdb file gets the owner root again and every 5 minutes the log shows: STL Exception while updating zone cache: Unable to load database file /var/db/pdns/dns00.lmdb-1: Permission denied

Other information

The same permission problem occurs when the Authoritative is set up as secondary with LMDB backend.

sndrsmnk commented 2 years ago

The issue here is pdnsutil will create files on its own, so either you need to run pdnsutil as the pdns user or accept the fact that the first time you create LMDB files with pdnsutil you need to chown them manually. Or exclusively use the API to create new zones.

thantzsche commented 2 years ago

Just for my understanding (please correct me if i'm wrong about that): Fact: pdns.conf contains the option "setuid=pdns". Is it always pdnsutil that creates at the first start the first lmdb file (in my case dns00.lmdb) or is this first step managed by the auth daemon? (I checked: the daemon runs effectively with uid=pdns) pdnsutil needs to know where to create a new zone (and possibly a new lmdb file), so it needs to look into pdns.conf to find out the path given with "lmdb-filename=", right? Should it not also process the option "setuid= " to set the current owner for the lmdb files?

Habbie commented 2 years ago

Should it not also process the option "setuid= " to set the current owner for the lmdb files?

This is a very good question. I've marked this ticket as an enhancement request so we can think about this.

zeha commented 2 years ago

This is #3386, basically?

thantzsche commented 2 years ago

This is #3386, basically?

I would say so. Since pdnsutil is an easy and powerful cli-zonemanager for pdns, it should take care of the correct access rights the daemon is effectively running with or else it is rendering the whole system unreliable (in my case with existent but inaccessible zones and files of the LMDB backend).