Use dir user for bind

bukka · bukka · commit 7b35d379c0f1 · 2025-07-18T17:40:23.000+02:00
diff --git a/ext/standard/tests/dns/bind-start.sh b/ext/standard/tests/dns/bind-start.sh
@@ -100,6 +100,25 @@ else
     exit 1
 fi
 
+# Determine the best user to run BIND as (do this early)
+echo "Debug: Determining user for BIND..."
+
+# Get the owner of the script directory
+SCRIPT_OWNER=$(stat -c '%U' "$SCRIPT_DIR")
+SCRIPT_GROUP=$(stat -c '%G' "$SCRIPT_DIR")
+
+echo "Debug: Script directory owned by: $SCRIPT_OWNER:$SCRIPT_GROUP"
+echo "Debug: Current user: $(whoami)"
+
+# Use the script owner if it's not root, otherwise use current user
+if [[ "$SCRIPT_OWNER" != "root" ]] && id "$SCRIPT_OWNER" >/dev/null 2>&1; then
+  BIND_USER="$SCRIPT_OWNER"
+  echo "Debug: Will run BIND as script owner: $BIND_USER"
+else
+  BIND_USER="$(whoami)"
+  echo "Debug: Will run BIND as current user: $BIND_USER"
+fi
+
 # Enhanced AppArmor handling
 if [[ -f /etc/apparmor.d/usr.sbin.named ]]; then
   echo "Debug: AppArmor profile detected, attempting comprehensive bypass..."
@@ -159,11 +178,11 @@ echo "Starting BIND from $SCRIPT_DIR"
 
 if $FOREGROUND; then
   echo "(running in foreground)"
-  echo "Debug: About to exec: named -c $NAMED_CONF -p 53 -u $(whoami) -g -d 1"
-  exec named -c "$NAMED_CONF" -p 53 -u "$(whoami)" -g -d 1
+  echo "Debug: About to exec: named -c $NAMED_CONF -p 53 -u $BIND_USER -g -d 1"
+  exec named -c "$NAMED_CONF" -p 53 -u "$BIND_USER" -g -d 1
 else
   echo "(running in background)"
-  echo "Debug: About to run: named -c $NAMED_CONF -p 53 -u $(whoami)"
+  echo "Debug: About to run: named -c $NAMED_CONF -p 53 -u $BIND_USER"
   
   # Test configuration first
   echo "Debug: Testing BIND configuration..."
@@ -186,49 +205,40 @@ else
     exit 1
   fi
 
-  # Set up permissions for bind user
-  echo "Debug: Setting up permissions for bind user..."
-  if id bind >/dev/null 2>&1; then
-    # The bind user needs execute permissions on all parent directories
-    echo "Debug: Setting directory permissions for bind user access..."
-    
-    # Make sure bind can traverse the entire path
-    ls -la /
-    ls -la /home
-    ls -la /home/runner
-    ls -la /home/runner/work
-    ls -la /home/runner/work/php-src
-    ls -la /home/runner/work/php-src/php-src
-
-    chmod o+x /home 2>/dev/null || echo "Failed to chmod /home"
-    chmod o+x /home/runner 2>/dev/null || echo "Failed to chmod /home/runner" 
-    chmod o+x /home/runner/work 2>/dev/null || echo "Failed to chmod /home/runner/work"
-    chmod o+x /home/runner/work/php-src 2>/dev/null || echo "Failed to chmod /home/runner/work/php-src"
-    chmod o+x /home/runner/work/php-src/php-src 2>/dev/null || echo "Failed to chmod /home/runner/work/php-src/php-src"
-    chmod o+x "$SCRIPT_DIR" 2>/dev/null || echo "Failed to chmod $SCRIPT_DIR"
-    chmod o+x "$ZONES_DIR" 2>/dev/null || echo "Failed to chmod $ZONES_DIR"
-    
-    # Set file ownership and permissions
-    chown bind:bind "$NAMED_CONF" "$ZONES_DIR"/*.zone 2>/dev/null || echo "Failed to chown to bind user"
+  # Set up permissions for the chosen user
+  echo "Debug: Setting up permissions for user: $BIND_USER..."
+  
+  # Ensure files are readable by the chosen user
+  if [[ "$BIND_USER" != "$(whoami)" ]]; then
+    # If we're running as a different user, ensure group/other permissions
     chmod 644 "$NAMED_CONF" "$ZONES_DIR"/*.zone
-    
-    echo "Debug: File permissions after setup:"
-    ls -la "$NAMED_CONF" "$ZONES_DIR"/*.zone
-    
-    echo "Debug: Directory permissions check:"
-    ls -ld "$SCRIPT_DIR" "$ZONES_DIR"
-    
-    # Test if bind user can actually read the config file
-    echo "Debug: Testing bind user access to config file:"
-    if sudo -u bind test -r "$NAMED_CONF"; then
-      echo "Debug: bind user CAN read config file"
+    chmod 755 "$SCRIPT_DIR" "$ZONES_DIR"
+  fi
+  
+  echo "Debug: File permissions after setup:"
+  ls -la "$NAMED_CONF" "$ZONES_DIR"/*.zone
+  
+  echo "Debug: Directory permissions:"
+  ls -ld "$SCRIPT_DIR" "$ZONES_DIR"
+  
+  # Test if the chosen user can actually read the config file
+  echo "Debug: Testing $BIND_USER access to config file:"
+  if [[ "$BIND_USER" == "$(whoami)" ]]; then
+    # Same user, test directly
+    if test -r "$NAMED_CONF"; then
+      echo "Debug: $BIND_USER CAN read config file"
     else
-      echo "Debug: bind user CANNOT read config file - this is the problem!"
-      echo "Debug: Let's check what bind user sees:"
-      sudo -u bind ls -la "$NAMED_CONF" 2>&1 || echo "bind user cannot even stat the file"
+      echo "Debug: $BIND_USER CANNOT read config file"
     fi
   else
-    echo "Debug: bind user does not exist, keeping current permissions"
+    # Different user, test with sudo
+    if sudo -u "$BIND_USER" test -r "$NAMED_CONF" 2>/dev/null; then
+      echo "Debug: $BIND_USER CAN read config file"
+    else
+      echo "Debug: $BIND_USER CANNOT read config file"
+      echo "Debug: Checking what $BIND_USER sees:"
+      sudo -u "$BIND_USER" ls -la "$NAMED_CONF" 2>&1 || echo "$BIND_USER cannot stat the file"
+    fi
   fi
 
   # Check IPv4/IPv6 configuration with fallbacks
@@ -271,16 +281,12 @@ else
   echo "Debug: Starting AppArmor denial monitoring..."
   (timeout 15 tail -f /var/log/syslog 2>/dev/null | grep "apparmor.*DENIED" | head -10 &) || echo "Could not start syslog monitoring"
 
-  # Try different user approaches
-  NAMED_USER="$(whoami)"
-  if id bind >/dev/null 2>&1; then
-    echo "Debug: Trying with bind user instead of root..."
-    NAMED_USER="bind"
-  fi
+  # Use the determined user
+  echo "Debug: Using determined user: $BIND_USER"
 
   # Run named and capture both stdout and stderr separately
-  echo "Debug: Starting named as user: $NAMED_USER..."
-  if named -c "$NAMED_CONF" -p 53 -u "$NAMED_USER" > "$LOG_FILE" 2>&1; then
+  echo "Debug: Starting named as user: $BIND_USER..."
+  if named -c "$NAMED_CONF" -p 53 -u "$BIND_USER" > "$LOG_FILE" 2>&1; then
     echo "Debug: named command succeeded"
   else
     NAMED_EXIT_CODE=$?
@@ -298,7 +304,7 @@ else
     
     # Try to run named with more verbose output
     echo "Debug: Trying to run named in foreground for better error output:"
-    timeout 5 named -c "$NAMED_CONF" -p 53 -u "$NAMED_USER" -g -d 1 || echo "Foreground attempt timed out or failed"
+    timeout 5 named -c "$NAMED_CONF" -p 53 -u "$BIND_USER" -g -d 1 || echo "Foreground attempt timed out or failed"
     
     exit $NAMED_EXIT_CODE
   fi
@@ -340,4 +346,4 @@ else
   grep "apparmor.*DENIED.*named" /var/log/syslog 2>/dev/null | tail -5 || echo "No final AppArmor denials found"
 
   exit 1
-fi
+fi
