Logging while chrooted.
Brian Johnson
bjohnson at drtel.com
Wed Jul 13 18:20:57 UTC 2005
:-S
So let me re-state. You have my current logging directive
<SNIP>
logging {
channel "default_syslog" {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
<SNIP>
My bind runs as follows...
<SNIP>
isp01 ~]# ps -Af | grep named
named 29795 1 0 10:52 ? 00:00:00 /usr/sbin/named -u named -t
/var/named/chroot
root 30699 30540 0 13:09 pts/1 00:00:00 grep named
[root at isp01 ~]#
<SNIP>
So, as I see it, the daemon is running as named and is chrooted into
/var/named/chroot. Correct?
If so, if I modify my logging directive as such...
<SNIP>
[root at isp01 ~]# diff -c /etc/named.conf /etc/named.conf.old
*** /etc/named.conf 2005-07-13 13:12:11.154208470 -0500
--- /etc/named.conf.old 2005-07-13 13:11:45.951772162 -0500
***************
*** 25,31 ****
};
channel audit_log {
// Send the security related messages to a separate file.
! file "/var/named/chroot/var/log/named.log";
severity debug;
print-time yes;
};
--- 25,31 ----
};
channel audit_log {
// Send the security related messages to a separate file.
! file "/var/log/named.log";
severity debug;
print-time yes;
};
[root at isp01 ~]#
<SNIP>
And then change the ownership on the directory as such...
chown -R named.named /var/named/chroot/var/log
If I do this I get this message...
<SNIP>
Jul 13 13:15:24 isp01 named[30773]: isc_log_open
'/var/named/chroot/var/log/named.log' failed: file not found
<SNIP>
:-S
TIA
- Brian J.
> -----Original Message-----
> From: aklist_bind at enigmedia.com [mailto:aklist_bind at enigmedia.com]
> Sent: Wednesday, July 13, 2005 12:44 PM
> To: bjohnson at drtel.com
> Subject: Re: Logging while chrooted.
>
> relative to the chroot is easiest...for example, my chroot is
> something
> like:
>
> /var/named/
>
> and my log is in
>
> /var/named/log/named.log
>
> alternatively, you can create a new directory in /var/log and
> make the user
> BIND is running as the owner, like:
>
> /var/log/named/named.log
>
> and then it will be able to write to that directory.
>
> Does that make sense? when BIND is chrooted it can only write
> to directories
> where the BIND user instance has write permissions.
>
> HTH!
>
> ----- Original Message -----
> From: "Brian Johnson" <bjohnson at drtel.com>
> To: <bind-users at isc.org>
> Sent: Wednesday, July 13, 2005 1:15 PM
> Subject: RE: Logging while chrooted.
>
>
> > So in the config I need to specify a file relative to the
> actual root of
> > the
> > machine or relative to the chroot folder?
> >
> > - Brian J
> >
> >> -----Original Message-----
> >> From: aklist_bind at enigmedia.com [mailto:aklist_bind at enigmedia.com]
> >> Sent: Wednesday, July 13, 2005 11:57 AM
> >> To: bjohnson at drtel.com
> >> Subject: Re: Logging while chrooted.
> >>
> >> put the log directory below the chroot directory
> >>
> >> ----- Original Message -----
> >> From: "Brian Johnson" <bjohnson at drtel.com>
> >> To: <bind-users at isc.org>
> >> Sent: Wednesday, July 13, 2005 12:34 PM
> >> Subject: Logging while chrooted.
> >>
> >>
> >> >I am having a few issues attempting to log to a file while
> >> chrooted. My
> >> > understanding is that when chrooted, the named system only
> >> sees items in
> >> > the
> >> > jail. When I set a logging directive and send things to a
> >> file. I am
> >> > getting
> >> > the following errors.
> >> >
> >> > Jul 13 10:46:18 isp01 named[29712]: isc_log_open
> >> '/var/log/named.log'
> >> > failed: permission denied
> >> >
> >> > This folder exists within the jail and is owned by the user
> >> named runs as.
> >> >
> >> > Here is my named.conf logging directive:
> >> >
> >> > logging {
> >> > channel "default_syslog" {
> >> > // Send most of the named messages to syslog.
> >> > syslog local2;
> >> > severity debug;
> >> > };
> >> > channel audit_log {
> >> > // Send the security related messages to a
> separate file.
> >> > file "/var/log/named.log";
> >> > severity debug;
> >> > print-time yes;
> >> > };
> >> > category default { default_syslog; };
> >> > category general { default_syslog; };
> >> > category security { audit_log; default_syslog; };
> >> > category config { default_syslog; };
> >> > category resolver { audit_log; };
> >> > category xfer-in { audit_log; };
> >> > category xfer-out { audit_log; };
> >> > category notify { audit_log; };
> >> > category client { audit_log; };
> >> > category network { audit_log; };
> >> > category update { audit_log; };
> >> > category queries { audit_log; };
> >> > category lame-servers { audit_log; };
> >> > };
> >> >
> >> > Any help would be appreciated.
> >> >
> >> > TIA
> >> >
> >> > - Brian J.
> >> >
> >> >
> >>
> >>
> >
> >
>
>
More information about the bind-users
mailing list