• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs plesk repair dns changing permissions to 0600

agarzon

agarzon

Basic Pleskian
User name: agarzon

TITLE

plesk repair dns changing permissions to 0600

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Versión 18.0.30 CentOS Linux 8.2.2004 (Core)

PROBLEM DESCRIPTION

When I executed the command:
plesk repair dns

The file /var/named/chroot/etc/named.conf and all the zones stored in /var/named/chroot/var got set to permission 0600 which causes the DNS to stop working and not start anymore. I fixed by resetting all files to 0640

In the log you can read:
Code: 
│Sep 29 14:20:29 test named[5257]: open: /etc/named.conf: permission denied                                                                                                                                                                                                                  │
│Sep 29 14:20:29 test named[5257]: reloading configuration failed: permission denied                                                                                                                                                                                                         │
│Sep 29 14:20:29 test named[5257]: received SIGHUP signal to reload zones                                                                                                                                                                                                                    │
│Sep 29 14:20:29 test named[5257]: loading configuration from '/etc/named.conf'                                                                                                                                                                                                              │
│Sep 29 14:20:29 test named[5257]: open: /etc/named.conf: permission denied                                                                                                                                                                                                                  │
│Sep 29 14:20:29 test named[5257]: reloading configuration failed: permission denied                                                                                                                                                                                                         │
│Sep 29 14:20:29 test systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).

STEPS TO REPRODUCE

In a fresh installed plesk server (Centos 8 with selinux enabled)

Execute plesk repair dns and check the named service status and the syslog

ACTUAL RESULT

The repair tool is breaking the permissions for named configuration and all zones by setting them to 0600

EXPECTED RESULT

The repair tool should not break the permissions, if permissions must be set due security inmprovements at least sould also set the owner of those files to named:named (also plesk shoud generate the zones using the same owner, currently is generating them as root:root)

ANY ADDITIONAL INFORMATION

This was tested in a fresh installed server I setup for experimenting.

Centos 8 with selinux activated.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Now I strongly believe this is related with umask which is 077 in both (my production and my experimental server Cetos 8 both)

Interestingly they were 022 before I installed Plesk and becomes 077 after plesk was installed.

Now I need to double check when exactly changes to 077 since I was using Ansible to deploy those servers.
 
agarzon said:
Now I strongly believe this is related with umask which is 077 in both (my production and my experimental server Cetos 8 both)

Interestingly they were 022 before I installed Plesk and becomes 077 after plesk was installed.

Now I need to double check when exactly changes to 077 since I was using Ansible to deploy those servers.
Click to expand...
Hi - did you ever figure this out?
Thanks
 
Not yet, something in Plesk is changing the UMASK in the file /etc/login.defs probably one of his multiple extensions, not sure which one yet.
 
agarzon said:
Not yet, something in Plesk is changing the UMASK in the file /etc/login.defs probably one of his multiple extensions, not sure which one yet.
Click to expand...
Thanks ... meanwhile I found that commenting out UMASK 077 (around line 64) in login.defs does seem to fix the problem but not sure if it has any repercussions elsewhere. In CentOS7 the same line exists without seemingly the same problem so perhaps it is overridden elsewhere.

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077

Edit - just to add, my problem was that when logged in as a system user, files were being created with the wrong permissions 0600 instead of 0644.
 
You can set UMASK 022 in the /etc/login.defs that is what I found in my other Plesk server but with Centos 7

There are plenty docs in internet about UMASK, but as quick summary:

077 Very restrictive, so more secure but causing errors here and there.
027 A bit more restrictive than the common, enought for security enhancement.
022 The most common, and the one Plesk comes by default.

But sill I need to find WHY, my server was set to 077 even when I never changed that.
 
From developer:

Although I cannot reproduce this bug per se (seems customer login via console or something else), incorrect umask prior to 'plesk repair dns' can break the named, so I create an issue PPPM-12437 to address this: even with wrong umask, plesk repair dns should break the named.

Note: Plesk doesn't somehow modify login.defs file, and UMASK 077 in this file is set by OS vendor.
 
IgorG said:
From developer:

Although I cannot reproduce this bug per se (seems customer login via console or something else), incorrect umask prior to 'plesk repair dns' can break the named, so I create an issue PPPM-12437 to address this: even with wrong umask, plesk repair dns should break the named.

Note: Plesk doesn't somehow modify login.defs file, and UMASK 077 in this file is set by OS vendor.
Click to expand...
Please would you also take a look as to why when logged in as a system user, UMASK is set to 077. This didn't happen with a CentOS7 setup. The login.defs file has it set to 077 in both CentOS 7 & 8 and while commenting it out in CentOS8 does seem to fix the problem, it looks like it is must be overridden elsewhere in CentOS7 ... Thanks
 
Last edited:
Fixed in Plesk 18.0.31:

Running the plesk repair dns command with umask set to “077” no longer breaks the permissions for named configuration files and all zones by setting incorrect permissions on them. (PPPM-12437)
Click to expand...
 
You must log in or register to reply here.

Similar threads

K
Resolved Can not change DNS server-wide settings
Replies
3
Views
1K
klowet
K
Daerik
Issue Error Upgrading Plesk Obsidian 18.0.63 to 18.0.64: HTTPS Error 404 - Not Found (MaxScale Repo)
Replies
6
Views
855
Daerik
Daerik
A
Question Some security questions
Replies
2
Views
709
amba1980
A
H.W.B
Issue DNSSEC with Ubuntu Problems
Replies
6
Views
3K
Kaspar@Plesk
Kaspar@Plesk
H
Issue ipv6 install error failed (99: Cannot assign requested address)
Replies
1
Views
1K
Peter Debik
P
Back
Top