logging permission denied

Fri Sep 19 13:08:10 UTC 2008

On Thu, 18 Sep 2008 10:36:02 -0700 Chris Buxton <cbuxton at menandmice.com> wrote

> Here's the quick fix for a chroot'd path:
> 
> What you see as /var/named/chroot/, named will see as /. Therefore, if
> you want the path to be /var/named/chroot/var/log, you would put /var/
> log into the logging statement.
> 
> You cannot put a symlink into the chroot jail that leads outside of
> the jail. You should not create any hardlinks in the jail that share
> nodes with outside files or directories, because that provides an
> attacker with an avenue for escape from the jail. What you can do is
> to put a symlink called 'named' into /var/log that points to /var/
> named/chroot/var/log. Then if named is logging to /var/log (inside the
> jail), you can access its logs at the path /var/log/named.

Thanks for that, Chris.
> 
> And you should turn SELinux off if you don't have experience
> maintaining it.

I wasn't aware that it was "on"...is this some feature of Fedora that's
enabled by default? 

> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> On Sep 18, 2008, at 6:48 AM, aklist wrote:
> 
> >
> >
> >> File is relative to chroot dir. modify file "/var/log/named/
> >> named.log"
> >> to reflect this change and retry.
> >
> > Thanks...I'm not sure how to target the chroot'd path though?
> >
> > Is there a path var in Fedora that can be used as a shortcut, or
> > does it
> > need to be explicit?
> >
> > If I run "ls -la /var/named" I see there's directory called
> > "chroot",  and
> > in "chroot" there "/var/named"
> >
> > Do I need to create an alias there to "/var/log"? And if so, would
> > my file
> > path be:
> >
> > /chroot/var/log/named/named.log?
> >
> > I'm confused by all the aliasing and how the permissions apply :(
> >
> >>
> >>
> >> On Sep 10, 11:28 am, "aklist" <aklist_b... at enigmedia.com> wrote:
> >>> Hi All: I reinstalled bind to 9.5.0-p1 last month, and it's now
> >>> running
> >>> chrooted (it wasn't before).
> >>>
> >>> My existing config file's logging statement looks like:
> >>>
> >>> logging {channel "my_syslog" { syslog daemon; severity info; };
> >>> channel "my_file" { file "/var/log/named/named.log" versions 3 size
> >>> 1000k;
> >>> severity dynamic;
> >>> print-category yes;
> >>> print-severity yes;
> >>> print-time yes; };
> >>> channel "null" { null; };
> >>> category "default" { "my_syslog"; "my_file"; "my_stats"; };
> >>> category "general" { "my_file"; "my_stats"; };
> >>> category "notify" { "my_file"; };
> >>> category "queries" { "my_file"; };
> >>> category "unmatched" { "null"; "my_stats"; };
> >>> category "xfer-out" { "my_file"; };
> >>> channel "my_stats" { file "/var/log/named/namedstats.log" versions 3
> >>> size 100k;
> >>> severity dynamic;
> >>> print-category yes;
> >>> print-severity yes;
> >>> print-time yes; };
> >>>
> >>> };
> >>>
> >>> but when I reload bind I see that the "mystats" and "my_file"
> >>> can't be
> >>> written with permission denied. Do I need to edit my config to
> >>> target the
> >>> chroot, or do I need to edit the permissions on the existing
> >>> directories
> >>> to
> >>> allow BIND to write the logs?
> >>>
> >>> TIA
> >>
> >>
> >>
> >
> >