Logging while chrooted.

Brian Johnson bjohnson at drtel.com
Wed Jul 13 18:20:57 UTC 2005 

:-S

So let me re-state. You have my current logging directive

<SNIP>
logging {
	channel "default_syslog" {
		// Send most of the named messages to syslog.
		syslog local2;
		severity debug;
	};
	channel audit_log {
		// Send the security related messages to a separate file.
		file "/var/log/named.log";
		severity debug;
		print-time yes;
	};
	category default { default_syslog; };
	category general { default_syslog; };
	category security { audit_log; default_syslog; };
	category config { default_syslog; };
	category resolver { audit_log; };
	category xfer-in { audit_log; };
	category xfer-out { audit_log; };
	category notify { audit_log; };
	category client { audit_log; };
	category network { audit_log; };
	category update { audit_log; };
	category queries { audit_log; };
	category lame-servers { audit_log; };
};
<SNIP>

My bind runs as follows...

<SNIP>
isp01 ~]# ps -Af | grep named
named    29795     1  0 10:52 ?        00:00:00 /usr/sbin/named -u named -t
/var/named/chroot
root     30699 30540  0 13:09 pts/1    00:00:00 grep named
[root at isp01 ~]# 
<SNIP>

So, as I see it, the daemon is running as named and is chrooted into
/var/named/chroot. Correct?

If so, if I modify my logging directive as such...

<SNIP>
[root at isp01 ~]# diff -c /etc/named.conf /etc/named.conf.old   
*** /etc/named.conf     2005-07-13 13:12:11.154208470 -0500
--- /etc/named.conf.old 2005-07-13 13:11:45.951772162 -0500
***************
*** 25,31 ****
        };
        channel audit_log {
              // Send the security related messages to a separate file.
!             file "/var/named/chroot/var/log/named.log";
              severity debug;
        print-time yes;
        };
--- 25,31 ----
        };
        channel audit_log {
              // Send the security related messages to a separate file.
!             file "/var/log/named.log";
              severity debug;
        print-time yes;
        };
[root at isp01 ~]# 
<SNIP>

And then change the ownership on the directory as such...

chown -R named.named /var/named/chroot/var/log

If I do this I get this message...

<SNIP>
Jul 13 13:15:24 isp01 named[30773]: isc_log_open
'/var/named/chroot/var/log/named.log' failed: file not found
<SNIP>

:-S

TIA

- Brian J.

> -----Original Message-----
> From: aklist_bind at enigmedia.com [mailto:aklist_bind at enigmedia.com] 
> Sent: Wednesday, July 13, 2005 12:44 PM
> To: bjohnson at drtel.com
> Subject: Re: Logging while chrooted.
> 
> relative to the chroot is easiest...for example, my chroot is 
> something 
> like:
> 
> /var/named/
> 
> and my log is in
> 
> /var/named/log/named.log
> 
> alternatively, you can create a new directory in /var/log and 
> make the user 
> BIND is running as the owner, like:
> 
> /var/log/named/named.log
> 
> and then it will be able to write to that directory.
> 
> Does that make sense? when BIND is chrooted it can only write 
> to directories 
> where the BIND user instance has write permissions.
> 
> HTH!
> 
> ----- Original Message ----- 
> From: "Brian Johnson" <bjohnson at drtel.com>
> To: <bind-users at isc.org>
> Sent: Wednesday, July 13, 2005 1:15 PM
> Subject: RE: Logging while chrooted.
> 
> 
> > So in the config I need to specify a file relative to the 
> actual root of 
> > the
> > machine or relative to the chroot folder?
> >
> > - Brian J
> >
> >> -----Original Message-----
> >> From: aklist_bind at enigmedia.com [mailto:aklist_bind at enigmedia.com]
> >> Sent: Wednesday, July 13, 2005 11:57 AM
> >> To: bjohnson at drtel.com
> >> Subject: Re: Logging while chrooted.
> >>
> >> put the log directory below the chroot directory
> >>
> >> ----- Original Message ----- 
> >> From: "Brian Johnson" <bjohnson at drtel.com>
> >> To: <bind-users at isc.org>
> >> Sent: Wednesday, July 13, 2005 12:34 PM
> >> Subject: Logging while chrooted.
> >>
> >>
> >> >I am having a few issues attempting to log to a file while
> >> chrooted. My
> >> > understanding is that when chrooted, the named system only
> >> sees items in
> >> > the
> >> > jail. When I set a logging directive and send things to a
> >> file. I am
> >> > getting
> >> > the following errors.
> >> >
> >> > Jul 13 10:46:18 isp01 named[29712]: isc_log_open
> >> '/var/log/named.log'
> >> > failed: permission denied
> >> >
> >> > This folder exists within the jail and is owned by the user
> >> named runs as.
> >> >
> >> > Here is my named.conf logging directive:
> >> >
> >> > logging {
> >> >      channel "default_syslog" {
> >> >            // Send most of the named messages to syslog.
> >> >            syslog local2;
> >> >      severity debug;
> >> >      };
> >> >      channel audit_log {
> >> >            // Send the security related messages to a 
> separate file.
> >> >            file "/var/log/named.log";
> >> >            severity debug;
> >> >      print-time yes;
> >> >      };
> >> >      category default { default_syslog; };
> >> >      category general { default_syslog; };
> >> >      category security { audit_log; default_syslog; };
> >> >      category config { default_syslog; };
> >> >      category resolver { audit_log; };
> >> >      category xfer-in { audit_log; };
> >> >      category xfer-out { audit_log; };
> >> >      category notify { audit_log; };
> >> >      category client { audit_log; };
> >> >      category network { audit_log; };
> >> >      category update { audit_log; };
> >> >      category queries { audit_log; };
> >> >      category lame-servers { audit_log; };
> >> > };
> >> >
> >> > Any help would be appreciated.
> >> >
> >> > TIA
> >> >
> >> > - Brian J.
> >> >
> >> >
> >>
> >>
> >
> > 
> 
>

More information about the bind-users mailing list