log file permssion error

[Bill Larson]

On Apr 4, 2005, at 9:29 AM, Puye, Alhagie - ADP Dataphile wrote:

> I'm getting the following error message from syslog:
>
> Apr  3 04:04:30 thor named[7999]: unable to rename log file
> '/var/log/bind.log' to '/var/log/bind.log.0': permission denied
>
> I'm running BIND 9.3.0rc4. The daemon is running as user "named" on a 
> Red
> Hat ES 3 box.
>
> root owns /var/log and the permissions on that directory is 755
>
> name owns /var/log/bind.log and the permissions on that file are 644
>
> Any ideas why I would be getting this?

As you identified, the user "named" does not have permission to write 
to the /var/log directory.  The directory is owned by "root" and no one 
else has permission to write to it.  Simple as that!

Now, to fix it, you have two possibilities, both of which have the same 
outcome, allowing the "named" user to write to this directory:

1.  Change the owner of this directory to "named" (chown named 
/var/log).  Since the "named" user is now the owner is now the owner, 
and the owner has write permissions, this user can now write to the 
directory.

2.  Change the permissions of this directory such that the "named" user 
can now write to the directory.  Since this user is neither the owner 
or a member of the group, the permissions must be 777.  The command 
would be "chmod 777 /var/log".  (Really 757 would be sufficient, but if 
you allow everyone to write to this directory, why limit the group?)

A better solution would be to leave the /var/log directory alone and 
create a /var/log/named directory that the "named" user can write to.  
This minimizes the possibility of when the "named" process is hacked 
that the hacker would be able to modify/delete any of the files in the 
/var/log hierarchy.

This could be done with "mkdir /var/log/named; chown named 
/var/log/named; chmod 755 /var/log/named".  You would also need to 
modify your named.conf file to specify that files are in /var/log/named 
rather than /var/log.

Bill Larson