3

I want to give the www-data user the ability to restart bind9 using this command

service bind9 restart

At the moment, they can execute it and it will stop bind9 but not restart it again complaining that permissions will not allow a chmod of the file "named".

can you point me in the direction of what i need to do

Update

Okay so I added the line to the sudoers as requested.

www-data      ALL=NOPASSWD: /etc/init.d/bind9

It still has some issue:

root@LAMPREY:~# su www-data
$ service bind9 restart
 * Stopping domain name service... bind9                                        rndc: error: none:0: open: /etc/bind/rndc.key: permission denied
rndc: could not load rndc configuration
                                                                         [ OK ]
 * Starting domain name service... bind9                                        chmod: changing permissions of `/var/run/named': Operation not permitted
$ exit

I also then tried running another command

/etc/init.d/bind9 restart
 * Stopping domain name service... bind9                                        rndc: error: none:0: open: /etc/bind/rndc.key: permission denied
rndc: could not load rndc configuration
                                                                         [ OK ]
 * Starting domain name service... bind9                                        chmod: changing permissions of `/var/run/named': Operation not permitted
$ exit

with the same result

Jason
  • 361
  • 6
  • 19
  • you can give them sudo access to only run that command? – anthonysomerset Jun 20 '11 at 06:50
  • 2
    You need to run `sudo service bind9 restart`. – Bart De Vos Jun 20 '11 at 07:56
  • Why would the webserver need to **restart** bind? A simple **reload** should be sufficient. `bind` will re-verify the root zone after a restart, which can take several seconds, and requests are queued during that time. – Simon Richter Jun 20 '11 at 11:38
  • You. Do. Not. Need. Sudo. To. Restart. Bind. Check my answer, set up `/etc/rndc.conf` with proper access restrictions and never *EVER* mention " `www-data` " and " `sudo` access " in the same sentence again. – Shadur Jun 20 '11 at 14:58

5 Answers5

7

To answer all three above: sudo is bloody overkill when rndc already has the capability you need, plus the option to reload nameservers other than the one on localhost.

The script rndc-confgen will generate an rndc.conf file for you that you can save to /etc/rndc.conf and make readable to www-data: 

shadur@Romulus:~$ rndc-confgen 
# Start of rndc.conf
key "rndc-key" {
    algorithm hmac-md5;
    secret "zGHUrg0X5Id4rn27A0Nb9A==";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#   algorithm hmac-md5;
#   secret "zGHUrg0X5Id4rn27A0Nb9A==";
# };
# 
# controls {
#   inet 127.0.0.1 port 953
#       allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

The commented-out part can then be added to /etc/bind/named.conf in order to tell the server that it should respond properly to that key (which is randomly generated when you run rndc-confgen.

After you've done the above and restarted bind once, the www-data user should be able to issue commands to bind via the rndc command.

rndc restart will restart the server completely; rndc reconfig will cause it to reload its named.conf file; rndc reload will check and reload all zones; rndc reload <zone> will check and reload just .

There's other commands as well; you can get a list by simply typing rndc without any commands.

Don't use a chainsaw when a scalpel will do; don't use sudo when you don't even need to be root.

Shadur
  • 1,297
  • 1
  • 10
  • 20
6

Why would you not want to give the user access to to sudo to run this specific command ? This is exactly the situation that sudo is designed for.

Adding 

www-data somehost= /sbin/service bind9 restart

will grant the user www-data permission to run service bind9 restart (and only that command) on somehost.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • What file do I add this too? – Jason Jun 20 '11 at 06:58
  • 3
    you use `visudo` to edit the `sudoers` file – user9517 Jun 20 '11 at 07:00
  • Using `sudo` to administer bind is bloody overkill, and giving `sudo` access to the `www-data` user is a terrible idea. Setting up `rndc` is much safer, simpler *and* opens up a whole slew of additional possibilities. – Shadur Jun 20 '11 at 15:04
  • @Shadur: the command only allows www-data to restart bind nothing more. It does exactly what the OP requires and asked for. – user9517 Jun 20 '11 at 16:46
  • `sudo` is not immune to security flaws. Neither are most web-based applications. – Shadur Jun 20 '11 at 16:49
3

why not give them sudo rights to just restart bind?

www-data      ALL=NOPASSWD: /etc/init.d/bind9

Then you can run it and it should work.. Also you could use rndc if you setup your keys to reload bind

Mike
  • 21,910
  • 7
  • 55
  • 79
3

Completing @Mike's answer

Run visudo and the file /etc/sudoers will open in your default text editor. Do not open the file in any other way.

Then add the following line, preferably at the end

www-data      ALL = NOPASSWD: /usr/sbin/service bind9 restart

Save and exit the editor. Now the user www-data can run the following in order to restart bind

sudo /usr/sbin/service bind9 restart
forcefsck
  • 351
  • 1
  • 9
  • For the love of $deity, don't use `sudo` to allow people to restart bind, the whole point of the `rndc` subsystem was to not require root permissions... – Shadur Jun 20 '11 at 14:57
  • This is a solution to the problem as asked. We do not have any details on why the OP needs this (any crazy reason). Providing an alternative like rndc would require some discussion with OP and a more elaborate answer, to which I personally didn't have enough time for. I just clarified a previously given answer. You are right though, I should at least mention `rndc`. I see that you provided your answer, which deserves a +1. – forcefsck Jun 21 '11 at 18:54
0

rndc reload should work fine from within a PHP system() call without modification of specific permissions. I agree that restarting bind is unnecessary, since if you allow the user to do that, you'd probably end up spending more time restarting the service than it is actually up and online to serve requests.

AcidRaZor
  • 151
  • 3