[Resolvconf-devel] Bug#819498: /etc/resolvconf/update.d/resolvconf-update-bind called without CAP_CHOWN from n-m

[Marc Haber]

Package: resolvconf
Version: 1.78
Severity: normal

Hi,

on a system with network-manager and systemd as PID 1,
/etc/resolvconf/update.d/resolvconf-update-bind gets called without
CAP_CHOWN due to CapabilityBoundingSet in
/lib/systemd/system/network-managaer.service. This causes the script
to fail when it tries to chown root:bind named.options_new.$PID,
resulting in a non-updated named.options.

This can either be fixed by asking n-m to ad CAP_CHOWN to the
CapabilityBoundingSet of Network-Manager, to drop a supplement in
/etc/systemd/system/network-manager.service.d/resolconf-cap
(unfriendly), to ask bind to make /var/run/bind sgid bind, or to fix
the script to not chown the file in the first place.

I have fixed the issue locally by removing the chown file from the
script with no noticed negative effect, but I don't know which corner
cases might be here. So I'd like to ask the package maintainer to
choose whatever is appropriate.

Since using a locally installed bind on a system that has its network
managed with Network-Manager is a rather uncommon setup, I have filed
this bug as "normal" only, but would like to suggest this to be
addressed anyway.

Greetings
Marc


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-zgws1 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages resolvconf depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  ifupdown               0.8.10
ii  init-system-helpers    1.29
ii  initscripts            2.88dsf-59.3
ii  lsb-base               9.20160110

resolvconf recommends no packages.

resolvconf suggests no packages.

-- debconf information excluded