[Opendnssec-user] SUDO bug, may bite you.
olaf at NLnetLabs.nl
Tue Apr 26 09:51:53 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
This is just a heads up for those users that rely on "sudo" in <NotifyCommands>. It may safe you time on debugging.
In my setup I run OpenDNSSEC as 'opendnssec' and NSD as 'bind' therefore I have to use sudo to run 'nsdc reload' when it is wrapped in a <NotifyCommand>. So far so good.
But it turns out that on a FreeBSD 8.0 system (with sudo version 1.7.4) you will be bit by a bug in sudo that is described here:
The way you will notice is that when running the queue command in the ods-signer you will see the zones that are scheduled for signing waiting for a [write]:
It is now Tue Apr 26 11:48:37 2011
Working with task [write] on zone geerthe.org
While your process table will show something like:
root 88049 0.0 0.1 3484 1408 ?? I 11:26AM 0:00.01 /usr/local/bin/sudo /usr/local/sbin/nsdc reload
root 88050 0.0 0.0 0 0 ?? Z 11:26AM 0:00.00 <defunct>
Whereby the <defunct> line is a give-away for the bug described in the famzah.net blog post.
Olaf M. Kolkman NLnet Labs
I will start to use a new PGP key (ID 0x3B6AAA64) at the beginning
of May 2011.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: This message is locally signed.
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-user