chroot /var/run permissions
Edward DeLargy
eddelargy at gmail.com
Wed Aug 28 01:02:54 UTC 2013
John,
You should see if your full root on the box what permissions named
has as a group and what the (bind/named) user has. If your running some
restricting permissions via the sudoers you may need to lighten up to 775
from the chroot'd directory down giving the ownership the named group and
named user. If the process does start and the permissions aren't right you
will run into more errors like zone transfer fails and other things that
require the process group and user to right into the directories where the
zone files are stored. Just a thought but you may want to look into it.
Regards,
Ed
On Tue, Aug 27, 2013 at 2:38 PM, <johnh at primebuchholz.com> wrote:
> Greetings,
>
> I'm upgrading my bind installation on one of my hosts, and everything
> seems to be working properly although I'm getting a permissions
> error/warning in the log on startup:
>
> Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open
> '/var/run/named.pid'.
> Aug 27 14:24:45 flotsam named[13746]: Please check file and directory
> permissions or reconfigure the filename.
> Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open
> '/var/run/named/session.key'.
> Aug 27 14:24:45 flotsam named[13746]: Please check file and directory
> permissions or reconfigure the filename.
> Aug 27 14:24:45 flotsam named[13746]: command channel listening on
> 127.0.0.1#953
> Aug 27 14:24:45 flotsam named[13746]: the working directory is not
> writable
> Aug 27 14:24:45 flotsam named[13746]: all zones loaded
>
> This is in a chroot environment, and I'm starting a static-linked copy of
> named like this: /var/named/usr/sbin/named -t /var/named -u named.
>
> The permissions on the tree in questions are:
>
> /var/named/var:
>
> drwxrwx--- 3 root named 512 Aug 27 14:25 run
>
> /var/named/var/run:
>
> drwxrwx--- 2 root named 512 Aug 27 14:25 named
>
> After named starts, it creates /var/named/var/run/named.pid and
> /var/named/var/run/named/session.key with the following permissions:
>
> -rw-r--r-- 1 root named 6 Aug 27 14:35 named.pid
>
> -rw------- 1 root named 102 Aug 27 14:35 session.key
>
> What I am I missing here? /var/named/var/run and /var/named/var/run/named
> have group write permissions, so it seems it *shouldn't* be complaining,
> and the resulting files should've been owned by named, shouldn't they?
>
> Thanks,
>
> -John
>
> --
> Please consider the environment before printing this e-mail.
>
> This e-mail is intended only for the named person or entity to
> which it
> is addressed and contains valuable business information that is
> privileged, confidential and/or otherwise protected from
> disclosure.
> Dissemination, distribution or copying of this e-mail or the
> information
> herein by anyone other than the intended recipient, or an
> employee, or
> agent responsible for delivering the message to the intended
> recipient,
> is strictly prohibited. All contents are the copyright property
> of the
> sender. If you are not the intended recipient, you are
> nevertheless
> bound to respect the sender's worldwide legal rights. We require
> that
> unintended recipients delete the e-mail and destroy all electronic
> copies in their system, retaining no copies in any media. If you
> have
> received this e-mail in error, please immediately notify us by
> calling
> our Help Desk at (603) 433-1143, or e-mail to it at primebuchholz.com
> .
> We appreciate your cooperation.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130827/2b85e05c/attachment.html>
More information about the bind-users
mailing list