From nobody@FreeBSD.org  Tue Sep  5 18:00:39 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6D9C216A4EF
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Sep 2006 18:00:39 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C71343D8E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Sep 2006 18:00:15 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k85I0FZ4010713
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 5 Sep 2006 18:00:15 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k85I0FcW010712;
	Tue, 5 Sep 2006 18:00:15 GMT
	(envelope-from nobody)
Message-Id: <200609051800.k85I0FcW010712@www.freebsd.org>
Date: Tue, 5 Sep 2006 18:00:15 GMT
From: Laurent LEVIER <llevier@argosnet.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /etc/rc.d/named killall in jailed OS
X-Send-Pr-Version: www-2.3

>Number:         102913
>Category:       conf
>Synopsis:       [jail] [patch] /etc/rc.d/named killall in jailed OS
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 05 18:10:15 GMT 2006
>Closed-Date:    Thu Jan 17 01:43:52 UTC 2008
>Last-Modified:  Thu Jan 17 01:43:52 UTC 2008
>Originator:     Laurent LEVIER
>Release:        6.1p3
>Organization:
>Environment:
useless
>Description:
/etc/rc.d/named script tries to kill named with rndc.
Upon failure, it kills the named with the 'killall' procedure.

Unfortunately, when OS runs jails, this killall also kills all Jails named.

Should be corrected to avoid this ;-)


>How-To-Repeat:
Build a jail
Setup DNS into jails
/etc/rc.d/named stop

>Fix:
Instead of killall, take from /etc/rc.conf named args to build the
named process line, and use ps to detect this line and then send either
-15 or -9.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Sep 5 19:25:12 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=102913 

From: Cheng-Lung Sung <clsung@FreeBSD.org>
To: bug-followup@FreeBSD.org, llevier@argosnet.com
Cc: freebsd-rc@FreeBSD.org, freebsd-current@freebsd.org
Subject: Re: conf/102913: /etc/rc.d/named killall in jailed OS
Date: Fri, 13 Oct 2006 11:34:08 +0800

 try this patch?
 
 Index: etc/rc.d/named
 ===================================================================
 RCS file: /home/ncvs/src/etc/rc.d/named,v
 retrieving revision 1.26
 diff -u -r1.26 named
 --- etc/rc.d/named	20 Apr 2006 12:30:12 -0000	1.26
 +++ etc/rc.d/named	13 Oct 2006 03:30:41 -0000
 @@ -91,9 +91,28 @@
  	if rndc stop 2>/dev/null; then
  		echo .
  	else
 -		echo -n ": rndc failed, trying killall: "
 -		if killall named; then
 -			echo .
 +		echo -n ": rndc failed, trying "
 +		# If we are not inside a jail, killall will kill named in jail
 +		# If we are inside a jail, killall is safe
 +		# 
 +		if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
 +			echo -n "killall: "
 +			if killall named; then
 +				echo .
 +			fi
 +		else
 +			# If we're not in a jail, try to kill named from pidfile
 +			# Otherwise see if we can get from ps
 +			echo -n "kill pid: "
 +			if [ -f ${pidfile} ]; then
 +				kill -TERM `cat ${pidfile}`
 +				echo .
 +			else
 +				for i in `ps -axo command,pid,jid | awk '/^[^ ]+named/{if ($NF == 0) {print $(NF-1)}}'`; do
 +					kill -TERM ${i}
 +					echo .
 +				done
 +			fi
  		fi
  	fi
  }
 
 -- 
 Cheng-Lung Sung - clsung@

From: Laurent LEVIER <llevier@argosnet.com>
To: Cheng-Lung Sung <clsung@FreeBSD.org>,bug-followup@FreeBSD.org
Cc: freebsd-rc@FreeBSD.org,freebsd-current@freebsd.org
Subject: Re: conf/102913: /etc/rc.d/named killall in jailed OS
Date: Fri, 13 Oct 2006 08:59:44 +0200

 Hi Cheng-Lung Sung
 
 At 05:34 13/10/2006, Cheng-Lung Sung wrote:
 >try this patch?
 thanks,
 
 I already patched my script.
 Now it kills pid, then if it fails, gets all named out of jail (J 
 flag) and kill these.
 
 The bug report was just so you are aware of this and can take 
 corrective action for next release ;-)
 
 And between you & me, this bug is nothing comparing to the other one 
 I submitted months ago about IDE driver bug.
 
 Thanks!!
 
 Brgrds
 
 >Index: etc/rc.d/named
 >===================================================================
 >RCS file: /home/ncvs/src/etc/rc.d/named,v
 >retrieving revision 1.26
 >diff -u -r1.26 named
 >--- etc/rc.d/named      20 Apr 2006 12:30:12 -0000      1.26
 >+++ etc/rc.d/named      13 Oct 2006 03:30:41 -0000
 >@@ -91,9 +91,28 @@
 >         if rndc stop 2>/dev/null; then
 >                 echo .
 >         else
 >-               echo -n ": rndc failed, trying killall: "
 >-               if killall named; then
 >-                       echo .
 >+               echo -n ": rndc failed, trying "
 >+               # If we are not inside a jail, killall will kill named in jail
 >+               # If we are inside a jail, killall is safe
 >+               #
 >+               if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
 >+                       echo -n "killall: "
 >+                       if killall named; then
 >+                               echo .
 >+                       fi
 >+               else
 >+                       # If we're not in a jail, try to kill named 
 >from pidfile
 >+                       # Otherwise see if we can get from ps
 >+                       echo -n "kill pid: "
 >+                       if [ -f ${pidfile} ]; then
 >+                               kill -TERM `cat ${pidfile}`
 >+                               echo .
 >+                       else
 >+                               for i in `ps -axo command,pid,jid | 
 >awk '/^[^ ]+named/{if ($NF == 0) {print $(NF-1)}}'`; do
 >+                                       kill -TERM ${i}
 >+                                       echo .
 >+                               done
 >+                       fi
 >                 fi
 >         fi
 >  }
 >
 >--
 >Cheng-Lung Sung - clsung@
 
 Laurent LEVIER
 Systems & Networks Security Expert, CISSP CISM
 

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: Cheng-Lung Sung <clsung@freebsd.org>
Cc: bug-followup@freebsd.org, llevier@argosnet.com
Subject: Re: conf/102913: /etc/rc.d/named killall in jailed OS
Date: Sat, 14 Oct 2006 23:57:29 +0400

 On Fri, Oct 13, 2006 at 11:34:08AM +0800, Cheng-Lung Sung wrote:
 > try this patch?
 > 
 > Index: etc/rc.d/named
 > ===================================================================
 > RCS file: /home/ncvs/src/etc/rc.d/named,v
 > retrieving revision 1.26
 > diff -u -r1.26 named
 > --- etc/rc.d/named	20 Apr 2006 12:30:12 -0000	1.26
 > +++ etc/rc.d/named	13 Oct 2006 03:30:41 -0000
 > @@ -91,9 +91,28 @@
 >  	if rndc stop 2>/dev/null; then
 >  		echo .
 >  	else
 > -		echo -n ": rndc failed, trying killall: "
 > -		if killall named; then
 
 Is it possible to use pkill(1) instead of killall(1)?  The former
 was moved to /bin specifically for the benefit of rc.d scripts.
 
 > -			echo .
 > +		echo -n ": rndc failed, trying "
 > +		# If we are not inside a jail, killall will kill named in jail
 > +		# If we are inside a jail, killall is safe
 > +		# 
 > +		if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
 > +			echo -n "killall: "
 > +			if killall named; then
 
 Ditto here.
 
 > +				echo .
 > +			fi
 > +		else
 > +			# If we're not in a jail, try to kill named from pidfile
 > +			# Otherwise see if we can get from ps
 > +			echo -n "kill pid: "
 > +			if [ -f ${pidfile} ]; then
 > +				kill -TERM `cat ${pidfile}`
 > +				echo .
 > +			else
 > +				for i in `ps -axo command,pid,jid | awk '/^[^ ]+named/{if ($NF == 0) {print $(NF-1)}}'`; do
 
 Hmm, pkill(1) can match a process by its jid, but 0 means any
 non-zero jid to it.  Looks like a deficiency in the otherwise
 convenient tool.
 
 > +					kill -TERM ${i}
 > +					echo .
 > +				done
 > +			fi
 >  		fi
 >  	fi
 >  }
 
 -- 
 Yar

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: Laurent LEVIER <llevier@argosnet.com>
Cc: bug-followup@freebsd.org, freebsd-rc@freebsd.org
Subject: Re: conf/102913: /etc/rc.d/named killall in jailed OS
Date: Thu, 23 Nov 2006 15:11:01 +0300

 On Fri, Oct 13, 2006 at 08:59:44AM +0200, Laurent LEVIER wrote:
 > 
 > I already patched my script.
 > Now it kills pid, then if it fails, gets all named out of jail (J 
 > flag) and kill these.
 
 FWIW, I've just added a new little feature to pkill(1): now it can
 selectively kill processes out of jail.  Perhaps it can be useful
 here.  If you need to kill all nameds that are not in jail, just
 use the following command:
 
 	pkill -j none named
 
 BTW, for the opposite effect, now the following command should be
 used:
 
 	pkill -j any named
 
 -- 
 Yar

From: Laurent LEVIER <llevier@argosnet.com>
To: Yar Tikhiy <yar@comp.chem.msu.su>
Cc: bug-followup@freebsd.org,freebsd-rc@freebsd.org
Subject: Re: conf/102913: /etc/rc.d/named killall in jailed OS
Date: Thu, 23 Nov 2006 20:42:40 +0100

 At 13:11 23/11/2006, Yar Tikhiy wrote:
 >On Fri, Oct 13, 2006 at 08:59:44AM +0200, Laurent LEVIER wrote:
 > >
 > > I already patched my script.
 > > Now it kills pid, then if it fails, gets all named out of jail (J
 > > flag) and kill these.
 >
 >FWIW, I've just added a new little feature to pkill(1): now it can
 >selectively kill processes out of jail.  Perhaps it can be useful
 >here.  If you need to kill all nameds that are not in jail, just
 >use the following command:
 >
 >         pkill -j none named
 >
 >BTW, for the opposite effect, now the following command should be
 >used:
 >
 >         pkill -j any named
 Great. This way the patch will be included in the next release, 
 solving the issue for all.
 
 Thanks for this great work!
 
 Brgrds
 
 Laurent LEVIER
 Systems & Networks Security Expert, CISSP CISM
 

From: Florian Smeets <flo@kasimir.com>
To: bug-followup@FreeBSD.org, llevier@argosnet.com
Cc:  
Subject: Re: conf/102913: [jail] [patch] /etc/rc.d/named killall in jailed
 OS
Date: Thu, 17 Jan 2008 00:04:18 +0100

 This one can also be closed, as with Rev 1.27 of /etc/rc.d/named the 
 named script reads the PID from the pidfile and only kills that process. 
 All named processes in the jails survive:
 
 host# ps ax -o pid,jid,args | grep named
   1179      2 /usr/sbin/named -t /var/named -u bind
   1197      1 /usr/sbin/named -t /var/named -u bind
   1690      0 /usr/sbin/named -t /var/named -u bind
   1694      0 grep named
 host# /etc/rc.d/named stop
 Stopping named.
 rndc failed, trying kill:
 host# ps ax -o pid,jid,args | grep named
   1179      2 /usr/sbin/named -t /var/named -u bind
   1197      1 /usr/sbin/named -t /var/named -u bind
   1709      0 grep named
 
 Cheers,
 Florian
Responsible-Changed-From-To: freebsd-rc->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Thu Jan 17 01:42:21 UTC 2008 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=102913 
State-Changed-From-To: open->		 closed 
State-Changed-By: dougb 
State-Changed-When: Thu Jan 17 01:42:53 UTC 2008 
State-Changed-Why:  

I fixed this in version 1.27 of rc.d/named 

http://www.freebsd.org/cgi/query-pr.cgi?pr=102913 
>Unformatted:
