log file permssion error

Puye, Alhagie - ADP Dataphile Alhagie_Puye at adp.com
Mon Apr 4 19:06:31 UTC 2005 

Thanks a bunch.
Alhagie Puye - Systems Support Engineer 

ADP Dataphile 

Vancouver, BC V6C 3A8 

(604)687-2133 x2315


-----Original Message-----
From: Bill Larson [mailto:bind9 at comcast.net] 
Sent: Monday, April 04, 2005 11:51 AM
To: Puye, Alhagie - ADP Dataphile
Cc: bind-users
Subject: Re: log file permssion error

On Apr 4, 2005, at 9:29 AM, Puye, Alhagie - ADP Dataphile wrote:

> I'm getting the following error message from syslog:
>
> Apr  3 04:04:30 thor named[7999]: unable to rename log file
> '/var/log/bind.log' to '/var/log/bind.log.0': permission denied
>
> I'm running BIND 9.3.0rc4. The daemon is running as user "named" on a 
> Red
> Hat ES 3 box.
>
> root owns /var/log and the permissions on that directory is 755
>
> name owns /var/log/bind.log and the permissions on that file are 644
>
> Any ideas why I would be getting this?

As you identified, the user "named" does not have permission to write 
to the /var/log directory.  The directory is owned by "root" and no one 
else has permission to write to it.  Simple as that!

Now, to fix it, you have two possibilities, both of which have the same 
outcome, allowing the "named" user to write to this directory:

1.  Change the owner of this directory to "named" (chown named 
/var/log).  Since the "named" user is now the owner is now the owner, 
and the owner has write permissions, this user can now write to the 
directory.

2.  Change the permissions of this directory such that the "named" user 
can now write to the directory.  Since this user is neither the owner 
or a member of the group, the permissions must be 777.  The command 
would be "chmod 777 /var/log".  (Really 757 would be sufficient, but if 
you allow everyone to write to this directory, why limit the group?)

A better solution would be to leave the /var/log directory alone and 
create a /var/log/named directory that the "named" user can write to.  
This minimizes the possibility of when the "named" process is hacked 
that the hacker would be able to modify/delete any of the files in the 
/var/log hierarchy.

This could be done with "mkdir /var/log/named; chown named 
/var/log/named; chmod 755 /var/log/named".  You would also need to 
modify your named.conf file to specify that files are in /var/log/named 
rather than /var/log.

Bill Larson

_
This message and any attachments are intended only for the use of the addressee and
may contain information that is privileged and confidential. If the reader of the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.

More information about the bind-users mailing list