Bug 734

Summary: Do not log an error when the PID file cannot be chown'ed
Product: unbound Reporter: Simon Deziel <simon.deziel>
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: enhancement CC: cathya, simon.deziel, wouter
Priority: P5    
Version: 1.5.7   
Hardware: x86_64   
OS: Linux   
Attachments: turn PID chown failure into a debug message
Only chown PID if inside the chroot

Description Simon Deziel 2016-01-12 01:13:32 CET
Created attachment 313 [details]
turn PID chown failure into a debug message

Hello,

Since some version in 1.5.x, Unbound attempts to chown the PID file to the low priv user. As I understand it, this is to allow the low priv user to attempt a deletion when the daemon stops. This deletion can fail (PID outside of chroot for example) and this is not fatal, so far so good.

On Debian/Ubuntu, the PID always resides outside of the chroot so it's moot to chown it because it can never be deleted. As such, I would like the PID chown'ing failure to be turned into a debug log instead of an error.

This would make it possible to deny chown/dac_override caps to the daemon completely even when running as root. This is what https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230 is about.

Please consider the attached patch.

Best regards,
Simon
Comment 1 Wouter Wijngaards 2016-01-12 09:05:23 CET
Hi Simon,

Thank you for the patch.  That makes sense, not log an error for this.  I have committed the patch to the code repository.

Best regards, Wouter
Comment 2 Simon Deziel 2016-01-26 05:42:37 CET
Created attachment 322 [details]
Only chown PID if inside the chroot

Wouter, sorry for the delay. Would you mind considering this follow-up patch?

It changes the behavior to only chown the PID if it resides inside the chroot or if no chroot is defined. This has the benefit of not using CAP_CHOWN on a default Ubuntu setup.

Best regards,
Simon
Comment 3 Wouter Wijngaards 2016-01-26 09:05:27 CET
Hi Simon,

Yes of course, thank you for the patch.  I have committed it.

Best regards, Wouter
Comment 4 Simon Deziel 2016-01-26 15:11:37 CET
Thank you!