Web lists-archives.com

Re: bind gets permission errors in buster--systemd-related?

On 5/15/19, Ross Boylan <rossboylan@xxxxxxxxxxxxxxxxxx> wrote:
> I have a new buster system with a bind setup based on (much) older*
> systems, on which it worked fine.  On buster, it doesn't.
> In two different places in my configuration I referred to files or
> directories that were outside of bind proper, and in both cases this
> failed with permission problems.
> I'm pretty sure bind is running under systemd, and have seen various
> references to systemd limiting access to the file system.  However, I
> don't see anything that appears to be requesting such limits for
> bind9, or in general.  /var is a different partition from /, and I
> configured bind to run as an ordinary user.
> Any ideas what's going on, or what I can do to fix it?

You're not showing file or directory permissions, so it's hard to guess.
The way I fixed my permission problems after telling bind to log to a
file instead of syslog was
  su -
to become root
  su bind
which didn't work because
  # grep bind /etc/passwd
so edit /etc/passwd and change '/bin/false' to '/bin/sh'
  su bind
then worked, so
  /usr/sbin/named -g
to see all the errors.  Adjust permissions, start bind as a daemon and
edit /etc/passwd to change '/bin/sh' back to '/bin/false'


>         // RB modified resolv.conf with custom
> /etc/resolvconf/update.d/bind9 to create this file.
>     //include "/run/named/named.resolvers";
>     /* Error was
> May 11 12:46:27 barley named[15935]: loading configuration from
> '/etc/bind/named.conf'
> May 11 12:46:27 barley named[15935]: /etc/bind/named.conf.options:18:
> open: /run/named/named.resolvers: permission denied
> May 11 12:46:27 barley named[15935]: loading configuration: permission
> denied
> May 11 12:46:27 barley named[15935]: exiting (due to fatal error)
> The script clearly starts as the bind user, and when I su to bind I
> can cat the file.
> */
> Second,  I had a bunch of logging directives like
> logging {
> /*  permission problems opening the log files.  Not sure why.
>   channel update_debug{
>     file "/var/log/bind/dnsupdate.log";
>     severity  debug 3;
>     print-category yes;
>     print-severity yes;
>     print-time yes;
>     };
> */
> /var/log/bind is owned by bind.
> For now I just commented the problems out, but I'd like it to work.
> For one thing, my network configuration is not static.
> Thanks.
> Ross
> *Specifically bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u20) wheezy-security