[Resolvconf-devel] Bug#819498: /etc/resolvconf/update.d/resolvconf-update-bind called without CAP_CHOWN from n-m
Marc Haber
mh+debian-packages at zugschlus.de
Tue Mar 29 17:09:58 UTC 2016
Package: resolvconf
Version: 1.78
Severity: normal
Hi,
on a system with network-manager and systemd as PID 1,
/etc/resolvconf/update.d/resolvconf-update-bind gets called without
CAP_CHOWN due to CapabilityBoundingSet in
/lib/systemd/system/network-managaer.service. This causes the script
to fail when it tries to chown root:bind named.options_new.$PID,
resulting in a non-updated named.options.
This can either be fixed by asking n-m to ad CAP_CHOWN to the
CapabilityBoundingSet of Network-Manager, to drop a supplement in
/etc/systemd/system/network-manager.service.d/resolconf-cap
(unfriendly), to ask bind to make /var/run/bind sgid bind, or to fix
the script to not chown the file in the first place.
I have fixed the issue locally by removing the chown file from the
script with no noticed negative effect, but I don't know which corner
cases might be here. So I'd like to ask the package maintainer to
choose whatever is appropriate.
Since using a locally installed bind on a system that has its network
managed with Network-Manager is a rather uncommon setup, I have filed
this bug as "normal" only, but would like to suggest this to be
addressed anyway.
Greetings
Marc
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-zgws1 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages resolvconf depends on:
ii debconf [debconf-2.0] 1.5.59
ii ifupdown 0.8.10
ii init-system-helpers 1.29
ii initscripts 2.88dsf-59.3
ii lsb-base 9.20160110
resolvconf recommends no packages.
resolvconf suggests no packages.
-- debconf information excluded
More information about the Resolvconf-devel
mailing list