chroot /var/run permissions
Mark Andrews
marka at isc.org
Wed Aug 28 00:24:54 UTC 2013
/var/run/named.pid and /var/run/named/session.key need to be writable
by named. Additionally their parent directories need to be writable
by named so the files can be removed on shutdown. The files are
not writable by named.
-rw-r--r-- 1 root named 6 Aug 27 14:35 named.pid
-rw------- 1 root named 102 Aug 27 14:35 session.key
Named attempts to write these files as user named and if that fails
it switches user back to root and re-attempts to write these files.
If it succeeds with the second attempt you get the error messages
below.
Once named has opened the sockets it permanently switches to the
user named.
Mark
In message <OF0617C08B.79D0B7F1-ON85257BD4.00659822-85257BD4.00665FAB at primebuch
holz.com>, johnh at primebuchholz.com writes:
> Greetings,
>
> I'm upgrading my bind installation on one of my hosts, and everything
> seems to be working properly although I'm getting a permissions
> error/warning in the log on startup:
>
> Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open
> '/var/run/named.pid'.
> Aug 27 14:24:45 flotsam named[13746]: Please check file and directory
> permissions or reconfigure the filename.
> Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open
> '/var/run/named/session.key'.
> Aug 27 14:24:45 flotsam named[13746]: Please check file and directory
> permissions or reconfigure the filename.
> Aug 27 14:24:45 flotsam named[13746]: command channel listening on
> 127.0.0.1#953
> Aug 27 14:24:45 flotsam named[13746]: the working directory is not
> writable
> Aug 27 14:24:45 flotsam named[13746]: all zones loaded
>
> This is in a chroot environment, and I'm starting a static-linked copy of
> named like this: /var/named/usr/sbin/named -t /var/named -u named.
>
> The permissions on the tree in questions are:
>
> /var/named/var:
>
> drwxrwx--- 3 root named 512 Aug 27 14:25 run
>
> /var/named/var/run:
>
> drwxrwx--- 2 root named 512 Aug 27 14:25 named
>
> After named starts, it creates /var/named/var/run/named.pid and
> /var/named/var/run/named/session.key with the following permissions:
>
> -rw-r--r-- 1 root named 6 Aug 27 14:35 named.pid
>
> -rw------- 1 root named 102 Aug 27 14:35 session.key
>
> What I am I missing here? /var/named/var/run and /var/named/var/run/named
> have group write permissions, so it seems it *shouldn't* be complaining,
> and the resulting files should've been owned by named, shouldn't they?
>
> Thanks,
>
> -John
>
> --
> Please consider the environment before printing this e-mail.
>
> This e-mail is intended only for the named person or entity to which it
> is addressed and contains valuable business information that is
> privileged, confidential and/or otherwise protected from disclosure.
> Dissemination, distribution or copying of this e-mail or the informatio
> n
> herein by anyone other than the intended recipient, or an employee, or
> agent responsible for delivering the message to the intended recipient,
> is strictly prohibited. All contents are the copyright property of the
> sender. If you are not the intended recipient, you are nevertheless
> bound to respect the sender's worldwide legal rights. We require that
> unintended recipients delete the e-mail and destroy all electronic
> copies in their system, retaining no copies in any media. If you have
> received this e-mail in error, please immediately notify us by calling
> our Help Desk at (603) 433-1143, or e-mail to it at primebuchholz.com.
> We appreciate your cooperation.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list