Bug 84 - Bind8 stats are not working when running nsd as unprivileged user
Bind8 stats are not working when running nsd as unprivileged user
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
2.1.x
i386 FreeBSD
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-21 03:13 CEST by Olafur Osvaldsson
Modified: 2004-07-28 15:40 CEST (History)
0 users

See Also:


Attachments
Patch to change SIGILL to SIGUSR1 (2.82 KB, patch)
2004-07-21 18:39 CEST, Erik Rozendaal
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olafur Osvaldsson 2004-07-21 03:13:29 CEST
I run nsd as the user bind and it runs fine but when I try to make it log bind8
stats by sending it SIGILL it just logs the following message:

[root@ ]# kill -SIGILL `cat /var/run/nsd.pid` && tail -1 /var/log/messages
Jul 21 01:09:00 nsd[66215]: problems killing 66219: Operation not permitted

66215 is the primary process and 66219 is the secondary.

When I send SIGILL to the secondary process as root it works fine but sending
the SIGILL to the primary process (as -s 60 seems to do) just logs the
abovementioned message.

Thus, periodical bind8 stats logging is not working for me.
Comment 1 Erik Rozendaal 2004-07-21 15:22:55 CEST
This is reproducable on FreeBSD 5.2-CURRENT and MacOS X 10.3.4. But the "Operation not permitted" 
error only occurs with SIGILL, not SIGTERM or SIGHUP. Which is strange because the kill(2) manual page 
does not mention anything special about permissions and SIGILL.

SIGILL works fine on Linux and FreeBSD 4.10-STABLE, so this seems to be an operating system error.
Comment 2 Olafur Osvaldsson 2004-07-21 17:54:22 CEST
Actually its not an error in the OS.

FreeBSD considers changing the owner of a process to be "tainting" and only 
allows certain signals to be sent to such "tainted" processes.
In a recent (5.*) /usr/src/sys/kern/kern_prot.c you can see the list of 
allowed signals:

SIGKILL
SIGINT
SIGTERM
SIGALRM
SIGSTOP
SIGTTIN
SIGTTOU
SIGTSTP
SIGHUP
SIGUSR1
SIGUSR2

SIGILL is not in that list and is therefor not permitted without privilege.

I suggest finding another signal for this.
Comment 3 Erik Rozendaal 2004-07-21 18:04:29 CEST
Then it is a bug in the documentation. Is there any place where this "tainting" is documented? 

Anyway, we are planning to change the signal used to SIGUSR1.
Comment 4 Olafur Osvaldsson 2004-07-21 18:20:14 CEST
It is documented to some extent in issetugid(2) and P_SUGID is defined 
in /usr/include/sys/proc.h:

#define P_SUGID         0x00100 /* Had set id privileges since last exec. */

and in cr_cansignal (/usr/src/sys/kern/kern_prot.c) there is a small comment:

        /*
         * UNIX signal semantics depend on the status of the P_SUGID
         * bit on the target process.  If the bit is set, then additional
         * restrictions are placed on the set of available signals.
         */

Other than that I haven't seen it...and to be honest I had to dig around to 
find that.
Comment 5 Erik Rozendaal 2004-07-21 18:39:16 CEST
Created attachment 18 [details]
Patch to change SIGILL to SIGUSR1
Comment 6 Erik Rozendaal 2004-07-21 18:41:18 CEST
The patch is against NSD 2.1.1 and should apply cleanly.
Comment 7 Olafur Osvaldsson 2004-07-21 18:55:17 CEST
Great, this fixes things for me and I'll change the FreeBSD port to include 
the patch.