Re: bind gets permission errors in buster--systemd-related?
On 5/15/19, Ross Boylan <rossboylan@stanfordalumni.org> wrote:
> I have a new buster system with a bind setup based on (much) older*
> systems, on which it worked fine. On buster, it doesn't.
> In two different places in my configuration I referred to files or
> directories that were outside of bind proper, and in both cases this
> failed with permission problems.
> I'm pretty sure bind is running under systemd, and have seen various
> references to systemd limiting access to the file system. However, I
> don't see anything that appears to be requesting such limits for
> bind9, or in general. /var is a different partition from /, and I
> configured bind to run as an ordinary user.
>
> Any ideas what's going on, or what I can do to fix it?
You're not showing file or directory permissions, so it's hard to guess.
The way I fixed my permission problems after telling bind to log to a
file instead of syslog was
su -
to become root
su bind
which didn't work because
# grep bind /etc/passwd
bind:x:116:119::/var/cache/bind:/bin/false
so edit /etc/passwd and change '/bin/false' to '/bin/sh'
su bind
then worked, so
/usr/sbin/named -g
to see all the errors. Adjust permissions, start bind as a daemon and
edit /etc/passwd to change '/bin/sh' back to '/bin/false'
Regards,
Lee
>
> // RB modified resolv.conf with custom
> /etc/resolvconf/update.d/bind9 to create this file.
> //include "/run/named/named.resolvers";
> /* Error was
> May 11 12:46:27 barley named[15935]: loading configuration from
> '/etc/bind/named.conf'
> May 11 12:46:27 barley named[15935]: /etc/bind/named.conf.options:18:
> open: /run/named/named.resolvers: permission denied
> May 11 12:46:27 barley named[15935]: loading configuration: permission
> denied
> May 11 12:46:27 barley named[15935]: exiting (due to fatal error)
>
> The script clearly starts as the bind user, and when I su to bind I
> can cat the file.
> */
>
> Second, I had a bunch of logging directives like
> logging {
> /* permission problems opening the log files. Not sure why.
> channel update_debug{
> file "/var/log/bind/dnsupdate.log";
> severity debug 3;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> */
> /var/log/bind is owned by bind.
>
> For now I just commented the problems out, but I'd like it to work.
> For one thing, my network configuration is not static.
>
> Thanks.
> Ross
>
> *Specifically bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u20) wheezy-security
>
>
Reply to: