Master file permission denied

Daniel Armando Rodriguez drodriguez at unau.edu.ar
Wed Jun 28 19:09:25 UTC 2023 


Certainly, you pointed in the right direction :-)

Previously I've had setted up setgid bit to /etc/bind/zonas/ due to 
complains from apparmor. Now, I've removed that bit and added an 
override to such folder in /etc/apparmor.d/local/usr.sbin.named.

Et voila!

However, I wonder the reason behind such behaviour as -as mentioned- 
previously it was working just fine.

Thanks, regards

El 2023-06-28 15:51, Danilo Godec via bind-users escribió:

> Hello,
> 
> I think
> 
> chmod ug+x /etc/bind/zonas/
> 
> should solve the issue by giving the owner (bind) and the group (bind) 
> permissions to enter the directory.
> 
> Danilo
> 
> On 28.6.2023 20:44, Daniel Armando Rodriguez via bind-users wrote:
> 
>> Before I start describing the problem, I should mention that this 
>> incident started when I tried to enable DNSSEC. I understand that it 
>> is unrelated, but previously everything was working correctly.
>> 
>> I'm using Debian 11 and Bind 9.18 from backports
>> 
>> This is current config
>> 
>> # named-checkconf -px
>> options {
>> directory "/var/cache/bind/";
>> listen-on  {
>> 127.0.0.1/32;
>> 170.210.45.130/32;
>> };
>> listen-on-v6  {
>> 2800:110:44:6260::130/128;
>> };
>> querylog yes;
>> transfers-in 20;
>> transfers-per-ns 20;
>> version "Info not currently available";
>> allow-recursion {
>> "localhost";
>> ::1/128;
>> 170.210.0.0/16;
>> 2800:110:44:6260::/64;
>> };
>> auth-nxdomain no;
>> recursion yes;
>> allow-query {
>> "any";
>> };
>> allow-transfer  {
>> "none";
>> };
>> key-directory "/var/cache/bind/keys";
>> masterfile-format text;
>> };
>> statistics-channels {
>> inet 127.0.0.1 port 8053 allow {
>> 127.0.0.1/32;
>> };
>> };
>> zone "10.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "16.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "17.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "18.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "19.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "20.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "21.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "22.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "23.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "24.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "25.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "26.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "27.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "28.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "29.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "30.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "31.172.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "168.192.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.empty";
>> };
>> zone "unau.edu.ar" {
>> type primary;
>> file "/etc/bind/zonas/db.unau.edu.ar";
>> allow-query {
>> "any";
>> };
>> allow-transfer  {
>> 170.210.45.131/32;
>> };
>> allow-update {
>> "none";
>> };
>> also-notify {
>> 170.210.45.131;
>> };
>> serial-update-method increment;
>> };
>> zone "133.45.210.170.in-addr.arpa" {
>> type primary;
>> file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";
>> allow-transfer  {
>> 170.210.45.131/32;
>> };
>> also-notify {
>> 170.210.45.131;
>> };
>> };
>> zone 
>> "3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" 
>> {
>> type primary;
>> file 
>> "/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";
>> allow-transfer  {
>> 170.210.45.131/32;
>> };
>> also-notify {
>> 170.210.45.131;
>> };
>> };
>> zone "." {
>> type hint;
>> file "/usr/share/dns/root.hints";
>> };
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>> 
>> File permissions
>> 
>> # ls -alh /etc/bind
>> 
>> -rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
>> -rw-r--r--   1 root root  255 feb 26 06:27 db.0
>> -rw-r--r--   1 root root  271 jun 30  2017 db.127
>> -rw-r--r--   1 root root  237 jun 30  2017 db.255
>> -rw-r--r--   1 root root  353 jun 30  2017 db.empty
>> -rw-r--r--   1 root root  270 jun 30  2017 db.local
>> -rw-r--r--   1 root root 3,1K may  3  2019 db.root
>> -rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
>> -rw-r--r--   1 root root 1,2K jun 28 15:06 named.conf.local
>> -rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.options
>> -rw-r-----   1 bind bind  144 may 17 13:51 rndc.key
>> drw-r-S---   2 bind bind 4,0K jun 28 14:55 zonas
>> -rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918
>> 
>> # ls -alh /etc/bind/zonas/
>> drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
>> drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
>> -rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa
>> -rwxr-xr-- 1 bind bind  394 ene 16 10:58 
>> 3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa
>> -rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar
>> 
>> Error messages
>> 
>> zone unau.edu.ar/IN: loading from master file 
>> /etc/bind/zonas/db.unau.edu.ar failed: permission denied
>> zone unau.edu.ar/IN: not loaded due to errors.
>> 
>> Named is running as bind user
>> 
>> I would be grateful for any enlightening ideas.
>> 
>> ________________________________________________
>> 
>> Daniel A. Rodriguez
>> _Informática, Conectividad y Sistemas_
>> Universidad Nacional del Alto Uruguay
>> San Vicente - Misiones - Argentina
>> informatica.unau.edu.ar [1]
> 
> --
> 
> Danilo Godec | Sistemska podpora / System Administration
> 
> AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor
> 
> E: danilo.godec at agenda.si | T: +386 (0)2 421 61 31 | F: +386 (0)2 420 
> 06 90
> 
> Agenda OpenSystems [2] | Največji slovenski odprtokodni integrator
> 
> Red Hat v Sloveniji [3] | Red Hat Premier Business Partner
> 
> ElasticBox [4] | Poslovne rešitve v oblaku
> 
> [2]
> 
> Izjava o omejitvi odgovornosti / Legal disclaimer statement [5]

-- 
________________________________________________

  Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar [1]



Links:
------
[1] https://informatica.unau.edu.ar
[2] https://www.agenda.si/
[3] http://www.redhat.si/
[4] http://elasticbox.eu/
[5] https://www.agenda.si/index.php?id=228
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230628/a8ed70d9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3bDJjjHWVweEy4Lh.png
Type: image/png
Size: 3982 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230628/a8ed70d9/attachment-0001.png>

More information about the bind-users mailing list