[Dnssec-trigger] Beware when upgrading to Mountain Lion (was: DNSSEC trigger on OS X Mountain Lion seems to work ok)

Fri Jul 27 07:09:02 UTC 2012

On Jul 25, 2012, at 6:01 PM, Phil Regnauld <regnauld at nsrc.org> wrote:

> Quick testing shows that it works fine - have tried both in
> hotspot signon, and on a "normal" network. Everything seems
> to function (for those hesitating to upgrade).

I have noticed that unbound failed to start after I upgraded [*]

If you find yourself in that situation, set dnssec-trigger to hot-spot-signon mode in order to connect to the Internet.

This is because the installation script does not create a UniqueID and PrimaryGroupID for the unbound user. It seems that mountain lion does need these IDs in order to be recognized as a unix user, in contrast to previous versions of OS X.

If the command 
$ id unbound
returns "no such user", you know that you have been bitten by this problem.

To fix: 
Allocate yourself a free id. You can see the allocated ids using the following:
dscl localhost -list /Local/Default/Groups PrimaryGroupID
dscl localhost -list /Local/Default/Users UniqueID

Then assign the ids to the unbound user.
sudo dscl localhost -create /Local/Default/Users/unbound PrimaryGroupID <number>
sudo dscl localhost -create /Local/Default/Users/unbound UniqueID <number>

(I have toyed around with the user creation script below; use at your own risk.)

Finally, we will be fixing the dnssec-trigger package in the order of weeks (rather than days).

--Olaf

[*] It might be that Phil did not encounter this problem because unbound had been released earlier, e.g. through a port.

#!/bin/bash

USERNAME=unbound
REALNAME="unbound daemon"
NFSHomeDirectory="/etc/unbound/"

MAXID=1000
if [[ $UID -ne 0 ]]; then echo "Please run $0 as root." && exit 1; fi

# We prefer to use the same GID and UID so need to test that.

# Start with the the first slot after the highes allocated number in the 200-300 range.
id=$(dscl localhost -list /Local/Default/Users UniqueID | awk '{ if ( $2 > max && $2 <300 ) max = $2 } END { print  max+1 }' )

while [ $id -le $MAXID ]  # Really we are exagerating here... surely there will be one ID free below 1000.
do
    gid=""
    uid=""
    gid=$(dscl localhost -search /Local/Default/Groups PrimaryGroupID $id)
    uid=$(dscl localhost -search /Local/Default/Users UniqueID $id)
    if [ -z "$gid$uid" ]
    then
	break
    fi
    id=$(($id+1))
done

echo $id $MAXID

if [ $id -eq $((MAXID+1)) ] ; then
    echo "NO FREE IDs"
    exit
else
    dscl localhost -create /Local/Default/Users/${USERNAME}
    dscl localhost -create /Local/Default/Users/${USERNAME} UserShell /usr/bin/false
    dscl localhost -create /Local/Default/Users/${USERNAME} PrimaryGroupID ${id}
    dscl localhost -create /Local/Default/Users/${USERNAME} UniqueID ${id}
    dscl localhost -create /Local/Default/Users/${USERNAME} RealName ${REALNAME}
    dscl localhost -create /Local/Default/Users/${USERNAME} NFSHomeDirectory ${NSFHomeDirectory}

fi

NLnet
Labs
Olaf M. Kolkman

www.NLnetLabs.nl
olaf at NLnetLabs.nl

Science Park 400, 1098 XH Amsterdam, The Netherlands

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120727/48bd81ed/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2262 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120727/48bd81ed/attachment.bin>