logging permission denied

Chris Buxton cbuxton at menandmice.com
Thu Sep 18 17:36:02 UTC 2008


Here's the quick fix for a chroot'd path:

What you see as /var/named/chroot/, named will see as /. Therefore, if  
you want the path to be /var/named/chroot/var/log, you would put /var/ 
log into the logging statement.

You cannot put a symlink into the chroot jail that leads outside of  
the jail. You should not create any hardlinks in the jail that share  
nodes with outside files or directories, because that provides an  
attacker with an avenue for escape from the jail. What you can do is  
to put a symlink called 'named' into /var/log that points to /var/ 
named/chroot/var/log. Then if named is logging to /var/log (inside the  
jail), you can access its logs at the path /var/log/named.

And you should turn SELinux off if you don't have experience  
maintaining it.

Chris Buxton
Professional Services
Men & Mice

On Sep 18, 2008, at 6:48 AM, aklist wrote:

>
>
>> File is relative to chroot dir. modify file "/var/log/named/ 
>> named.log"
>> to reflect this change and retry.
>
> Thanks...I'm not sure how to target the chroot'd path though?
>
> Is there a path var in Fedora that can be used as a shortcut, or  
> does it
> need to be explicit?
>
> If I run "ls -la /var/named" I see there's directory called  
> "chroot",  and
> in "chroot" there "/var/named"
>
> Do I need to create an alias there to "/var/log"? And if so, would  
> my file
> path be:
>
> /chroot/var/log/named/named.log?
>
> I'm confused by all the aliasing and how the permissions apply :(
>
>>
>>
>> On Sep 10, 11:28 am, "aklist" <aklist_b... at enigmedia.com> wrote:
>>> Hi All: I reinstalled bind to 9.5.0-p1 last month, and it's now  
>>> running
>>> chrooted (it wasn't before).
>>>
>>> My existing config file's logging statement looks like:
>>>
>>> logging {channel "my_syslog" { syslog daemon; severity info; };
>>> channel "my_file" { file "/var/log/named/named.log" versions 3 size
>>> 1000k;
>>> severity dynamic;
>>> print-category yes;
>>> print-severity yes;
>>> print-time yes; };
>>> channel "null" { null; };
>>> category "default" { "my_syslog"; "my_file"; "my_stats"; };
>>> category "general" { "my_file"; "my_stats"; };
>>> category "notify" { "my_file"; };
>>> category "queries" { "my_file"; };
>>> category "unmatched" { "null"; "my_stats"; };
>>> category "xfer-out" { "my_file"; };
>>> channel "my_stats" { file "/var/log/named/namedstats.log" versions 3
>>> size 100k;
>>> severity dynamic;
>>> print-category yes;
>>> print-severity yes;
>>> print-time yes; };
>>>
>>> };
>>>
>>> but when I reload bind I see that the "mystats" and "my_file"  
>>> can't be
>>> written with permission denied. Do I need to edit my config to  
>>> target the
>>> chroot, or do I need to edit the permissions on the existing  
>>> directories
>>> to
>>> allow BIND to write the logs?
>>>
>>> TIA
>>
>>
>>
>
>



More information about the bind-users mailing list