[Opendnssec-user] SUDO bug, may bite you.

Olaf Kolkman olaf at NLnetLabs.nl
Tue Apr 26 09:51:53 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Colleagues,

This is just a heads up for those users that rely on "sudo" in <NotifyCommands>. It may safe you time on debugging.

In my setup I run OpenDNSSEC as 'opendnssec' and NSD as 'bind' therefore I have to use sudo to run 'nsdc reload' when it is wrapped in a <NotifyCommand>. So far so good.

But it turns out that on a FreeBSD 8.0 system (with sudo version 1.7.4) you will be bit by a bug in sudo that is described here:
   http://blog.famzah.net/2010/11/01/sudo-hangs-and-leaves-the-executed-program-as-zombie

The way you will notice is that when running the queue command in the ods-signer you will see the zones that are scheduled for signing waiting for a [write]:

It is now Tue Apr 26 11:48:37 2011
Working with task [write] on zone geerthe.org


While your process table will show something like:
root         88049  0.0  0.1  3484  1408  ??  I    11:26AM   0:00.01 /usr/local/bin/sudo /usr/local/sbin/nsdc reload
root         88050  0.0  0.0     0     0  ??  Z    11:26AM   0:00.00 <defunct>

Whereby the <defunct> line is a give-away for the bug described in the famzah.net blog post.




- --Olaf



________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
http://www.nlnetlabs.nl/            
I will start to use a new PGP key (ID 0x3B6AAA64) at the beginning
of May 2011.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: This message is locally signed.
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk22lbkACgkQtN/ca3YJIoeN+ACg76kNtdxxT8TOuRas286ZrKvh
jK8An0ZopaLIgmU4iIf44GbRBDDSrOVT
=q4xp
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list