[master] check new-zones-directory

4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]

diff --git a/CHANGES b/CHANGES
index adb94d33680c8207a583a5ecd2a112c6b4ba3b7c..1d76a5b9b2f834bb41eec4bf72b9fea65889de0c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4789.  [cleanup]       Check writability of new-zones-directory. [RT #46308]
+
 4788.  [cleanup]       When using "update-policy local", log a warning
                        when an update matching the session key is received
                        from a remote host. [RT #46213]

diff --git a/bin/named/server.c b/bin/named/server.c
index 70ffcfa1b0cca1a78fc6b74d8f7d6adb078bb0c6..48e48ee35bf5ceb7b7a729899a183b92b0940c2d 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -7051,6 +7051,13 @@ setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
                                      dir, isc_result_totext(result));
                        return (result);
                }
+               if (access(dir, DIR_PERM_OK) != 0) {
+                       isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+                                     NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+                                     "new-zones-directory '%s' "
+                                     "is not writable", dir);
+                       return (ISC_R_NOPERM);
+               }
 
                dns_view_setnewzonedir(view, dir);
        }

diff --git a/bin/tests/system/runtime/ns2/named-alt6.conf b/bin/tests/system/runtime/ns2/named-alt6.conf
new file mode 100644 (file)
index 0000000..1780599
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt6.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+options {
+       new-zones-directory "./nope";
+       port 5300;
+       pid-file "../named.pid";
+       listen-on { 127.0.0.1; };
+       listen-on-v6 { none; };
+       recursion no;
+};

diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh
index 1d26590ad9b13ad6800b2fb0135c5443a04150d3..7588cab92cccd10d5013e1c939e71557cfa460d2 100644 (file)
--- a/bin/tests/system/runtime/tests.sh
+++ b/bin/tests/system/runtime/tests.sh
@@ -73,6 +73,17 @@ grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if new-zones-directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt6.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "new-zones-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I: checking that named refuses to start if working directory is not writable ($n)"
 ret=0

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 60e103077dacb47ac5c6079f6ee89786dc724636..cb6fb5ac8614d4e0cc4dff08f8d0aa12b9919205 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4988,7 +4988,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                Specifies the directory in which to store the configuration
                parameters for zones added via <command>rndc addzone</command>.
                By default, this is the working directory. If set to a relative
-               path, it will be relative to the working directory.
+               path, it will be relative to the working directory. The
+               directory <emphasis>must</emphasis> be writable by the
+               effective user ID of the <command>named</command> process.
              </para>
            </listitem>
          </varlistentry>