Bug 1165746 - dnssec-trigger rewrites the target of /etc/resolv.conf symlink
Summary: dnssec-trigger rewrites the target of /etc/resolv.conf symlink
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-trigger
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: dnssec
TreeView+ depends on / blocked
 
Reported: 2014-11-19 15:26 UTC by Pavel Šimerda (pavlix)
Modified: 2015-04-08 13:08 UTC (History)
7 users (show)

Fixed In Version: dnssec-trigger-0.12-16.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-08 13:08:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Pavel Šimerda (pavlix) 2014-11-19 15:26:55 UTC 
When dnssec-trigger daemon starts, it writes /etc/resolv.conf and sets the immutable bit on it. This is done to ensure that all applications talk to the local unbound instance whether or not another tool attempts to write its own version of /etc/resolv.conf. But its behavior when /etc/resolv.conf is not a symlink (1) doesn't achieve that and (2) result in rewriting files belonging to other tools.


Expected result:

When /etc/resolv.conf is a symlink, dnssec-trigger daemon should remove it and create a brand new /etc/resolv.conf file.


Actual result:

When /etc/resolv.conf is a symlink (e.g. to /run/NetworkManager/resolv.conf when using an experimental patch), dnssec-trigger daemon opens /etc/resolv.conf for writing and thus rewrites a file that belongs to another tool like NetworkManager or systemd-resolved.


Additional information:

Other tools write a temporary file like /etc/resolv.conf.tmp and then move it over to /etc/resolv.conf, replacing the original file whether it's a symlink or not.


Information from strace:

open("/etc/resolv.conf", O_RDONLY)      = 5
chattr: Operation not supported while reading flags on /etc/resolv.conf
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3493, si_status=1, si_utime=0, si_stime=0} ---
chmod("/etc/resolv.conf", 0644)         = 0
open("/etc/resolv.conf", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5
chmod("/etc/resolv.conf", 0444)         = 0
chattr: Operation not supported while reading flags on /etc/resolv.conf
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3495, si_status=1, si_utime=0, si_stime=0} ---


Solution:

The daemon could simply do what other tools do and instead of opening "/etc/resolv.conf" for writing, it could simply replace /etc/resolv.conf
with a temporary file. Note that enforcing the contents of /etc/resolv.conf is an intended behavior of the dnssec-trigger daemon as designed upstream.
Comment 1 Pavel Šimerda (pavlix) 2015-01-20 10:13:41 UTC 
Fixed in rawhide, moving to F21.
Comment 2 Fedora Update System 2015-01-26 20:47:42 UTC 
dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/dnssec-trigger-0.12-18.fc21
Comment 3 Fedora Update System 2015-01-28 19:56:17 UTC 
Package dnssec-trigger-0.12-18.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.12-18.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21
then log in and leave karma (feedback).
Comment 4 Tomáš Hozza 2015-04-08 13:08:49 UTC 
This issue should be fixed in the current dnssec-trigger package. Please test and reopen if the package does not fix the issue for you.
Note You need to log in before you can comment on or make changes to this bug.