Forwarded to devs plesk repair dns changing permissions to 0600

[agarzon]

User name: agarzon

TITLE

plesk repair dns changing permissions to 0600

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Versión 18.0.30 CentOS Linux 8.2.2004 (Core)

PROBLEM DESCRIPTION

When I executed the command:
plesk repair dns

The file /var/named/chroot/etc/named.conf and all the zones stored in /var/named/chroot/var got set to permission 0600 which causes the DNS to stop working and not start anymore. I fixed by resetting all files to 0640

In the log you can read:

│Sep 29 14:20:29 test named[5257]: open: /etc/named.conf: permission denied                                                                                                                                                                                                                  │
│Sep 29 14:20:29 test named[5257]: reloading configuration failed: permission denied                                                                                                                                                                                                         │
│Sep 29 14:20:29 test named[5257]: received SIGHUP signal to reload zones                                                                                                                                                                                                                    │
│Sep 29 14:20:29 test named[5257]: loading configuration from '/etc/named.conf'                                                                                                                                                                                                              │
│Sep 29 14:20:29 test named[5257]: open: /etc/named.conf: permission denied                                                                                                                                                                                                                  │
│Sep 29 14:20:29 test named[5257]: reloading configuration failed: permission denied                                                                                                                                                                                                         │
│Sep 29 14:20:29 test systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).

STEPS TO REPRODUCE

In a fresh installed plesk server (Centos 8 with selinux enabled)

Execute plesk repair dns and check the named service status and the syslog

ACTUAL RESULT

The repair tool is breaking the permissions for named configuration and all zones by setting them to 0600

EXPECTED RESULT

The repair tool should not break the permissions, if permissions must be set due security inmprovements at least sould also set the owner of those files to named:named (also plesk shoud generate the zones using the same owner, currently is generating them as root:root)

ANY ADDITIONAL INFORMATION

This was tested in a fresh installed server I setup for experimenting.

Centos 8 with selinux activated.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[agarzon]

Now I strongly believe this is related with umask which is 077 in both (my production and my experimental server Cetos 8 both)

Interestingly they were 022 before I installed Plesk and becomes 077 after plesk was installed.

Now I need to double check when exactly changes to 077 since I was using Ansible to deploy those servers.

 

[KeeB]

Now I strongly believe this is related with umask which is 077 in both (my production and my experimental server Cetos 8 both)

Interestingly they were 022 before I installed Plesk and becomes 077 after plesk was installed.

Now I need to double check when exactly changes to 077 since I was using Ansible to deploy those servers.

Hi - did you ever figure this out?
Thanks

 

[agarzon]

Not yet, something in Plesk is changing the UMASK in the file /etc/login.defs probably one of his multiple extensions, not sure which one yet.

 

[KeeB]

Not yet, something in Plesk is changing the UMASK in the file /etc/login.defs probably one of his multiple extensions, not sure which one yet.

Thanks ... meanwhile I found that commenting out UMASK 077 (around line 64) in login.defs does seem to fix the problem but not sure if it has any repercussions elsewhere. In CentOS7 the same line exists without seemingly the same problem so perhaps it is overridden elsewhere.

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077

Edit - just to add, my problem was that when logged in as a system user, files were being created with the wrong permissions 0600 instead of 0644.

 

[agarzon]

You can set UMASK 022 in the /etc/login.defs that is what I found in my other Plesk server but with Centos 7

There are plenty docs in internet about UMASK, but as quick summary:

077 Very restrictive, so more secure but causing errors here and there.
027 A bit more restrictive than the common, enought for security enhancement.
022 The most common, and the one Plesk comes by default.

But sill I need to find WHY, my server was set to 077 even when I never changed that.

 

[IgorG]

From developer:

Although I cannot reproduce this bug per se (seems customer login via console or something else), incorrect umask prior to 'plesk repair dns' can break the named, so I create an issue PPPM-12437 to address this: even with wrong umask, plesk repair dns should break the named.

Note: Plesk doesn't somehow modify login.defs file, and UMASK 077 in this file is set by OS vendor.

 

[KeeB]

From developer:

Although I cannot reproduce this bug per se (seems customer login via console or something else), incorrect umask prior to 'plesk repair dns' can break the named, so I create an issue PPPM-12437 to address this: even with wrong umask, plesk repair dns should break the named.

Note: Plesk doesn't somehow modify login.defs file, and UMASK 077 in this file is set by OS vendor.

Please would you also take a look as to why when logged in as a system user, UMASK is set to 077. This didn't happen with a CentOS7 setup. The login.defs file has it set to 077 in both CentOS 7 & 8 and while commenting it out in CentOS8 does seem to fix the problem, it looks like it is must be overridden elsewhere in CentOS7 ... Thanks

 

[IgorG]

Fixed in Plesk 18.0.31:

Running the plesk repair dns command with umask set to “077” no longer breaks the permissions for named configuration files and all zones by setting incorrect permissions on them. (PPPM-12437)