statistics file initially created with incorrect permissions

Dan Langille dan at langille.org
Tue Jan 22 02:19:32 UTC 2019


> On Jan 21, 2019, at 7:53 PM, Mark Andrews <marka at isc.org> wrote:
> 
>> On 22 Jan 2019, at 2:53 am, Dan Langille <dan at langille.org> wrote:
>> 
>> I'm running bind911-9.11.5P1_2 on FreeBSD 11.2-RELEASE-p8
>> 
>> bind is running fine, except for the statistics file, which gets created with root:bind vs bind:bind and I do not know why.
>> 
>> named runs as the user bind:
>> 
>> $ ps auwwx | grep named
>> bind    79879  0.0  0.1 69028 47120  -  IsJ  21:18   2:35.88 /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf
>> 
>> The configuration setting point to the right location:
>> 
>> $ grep stat /usr/local/etc/namedb/named.conf
>> 	statistics-file	"/var/run/named/stats";
>> 	zone-statistics yes;
>> 
>> The permissions of a running / working configuration:
>> 
>> $ ls -l /var/run/named
>> total 20
>> -rw-r--r--  1 bind  bind     6 Jan 21 15:16 pid
>> -rw-------  1 bind  bind   102 Jan 21 15:16 session.key
>> -rw-r--r--  1 bind  bind  9461 Jan 21 15:45 stats
>> 
>> $ ls -ld /var/run/named
>> drwxr-xr-x  2 bind  bind  5 Jan 21 15:20 /var/run/named
>> 
>> When named first creates this file, it is created chown root:bind and statistics fails:
>> 
>> 20-Jan-2019 16:30:22.356 received control channel command 'stats'
>> 20-Jan-2019 16:30:22.356 could not open statistics dump file '/var/run/named/stats': permission denied
>> 20-Jan-2019 16:30:22.356 dumpstats failed: permission denied
>> 
>> A quick 'chown bind /var/run/named/stats' fixes that and everything proceeds fine.
>> 
>> 1 - Why does named create this file as root:bind not bind:bind?
> 
> Named opens the file with the permissions of the user it is running as.  I would be looking
> for a external program that is creating the file as part of log rotation.

There is no log rotation for this. That was something I eliminated when this issue first came to light.

Since your reply, I realized that snmpd is invoking 'rndc stats'.

Now I know where to make adjustments so the permissions issue does not arise.

> 
>> Looking at the logs, this file is updated every five minutes.  The documentation says:
>> 
>> "The pathname of the file the server appends statistics to when instructed to do so using rndc stats."
>> 
>> named seems to be doing this automatically, as opposed to an external cronjob created by myself.
> 
> Please LOOK at the log messages that you cut and pasted.  They indicate that named received a
> 'rndc stats' command.

Yes, yes, they do.  My novice eyes did not equate 'control channel command' with rndc.

That, combined with not knowing/realizing that rndc was being invoked by snmpd had me wondering how
this was being done.

Thank you.

-- 
Dan Langille - BSDCan / PGCon
dan at langille.org




More information about the bind-users mailing list