Bug#985926: marked as done (bind9: cannot create /run/named)

[Debian Bug Tracking System]

Your message dated Fri, 26 Mar 2021 18:02:51 +0900
with message-id <0ce08e767b60e568961c7e8c22071...@duckcorp.org>
and subject line Re: Bug#985926: bind9: cannot create /run/named
has caused the Debian Bug report #985926,
regarding bind9: cannot create /run/named
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
985926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: bind9
Version: 1:9.16.11-2~bpo10+1

Quack,

I got these errors at startup:

Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named': Permission denied Mar 26 08:51:46 Orfeo named[14057]: generating session key for dynamic DNS Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named': Permission denied Mar 26 08:51:46 Orfeo named[14057]: could not create /run/named/session.key Mar 26 08:51:46 Orfeo named[14057]: failed to generate session key for dynamic DNS: permission denied

and apparmor is unhappy:

type=AVC msg=audit(1616745106.778:13945868): apparmor="DENIED" operation="mkdir" profile="named" name="/run/named/" pid=14057 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102 ouid=102 type=AVC msg=audit(1616745106.778:13945869): apparmor="DENIED" operation="mkdir" profile="named" name="/run/named/" pid=14057 comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102 ouid=102

Creating the directory _after_ changing user is clearly a problem that should be fixed in Bind, so changing the apparmor profile would not help.

I added this in the service file:
ExecStartPre=/bin/mkdir -p /run/named
ExecStartPre=/bin/chown bind: /run/named

and it works now:
# ls -la /run/named/
total 8
drwxr-xr-x  2 bind bind   80 Mar 26 09:06 .
drwxr-xr-x 40 root root 1300 Mar 26 09:06 ..
-rw-r--r--  1 bind bind    6 Mar 26 09:06 named.pid
-rw-------  1 bind bind  102 Mar 26 09:06 session.key

but of course the directory is not cleaned when the service stops.

I think the best would be to reconsider this PR at least partially and run the service directly as `bind` user:

  https://salsa.debian.org/dns-team/bind9/-/merge_requests/1

I would suggest using `RuntimeDirectory` to create/cleanup the directory automagically.

Regards.
\_o<

--
Marc Dequènes

--- End Message ---

--- Begin Message ---

Quack,

On 2021-03-26 17:36, Ondřej Surý wrote:

is there anything wrong with your systemd-tmpfiles?

$ cat /usr/lib/tmpfiles.d/named.conf
d /run/named 0775 root bind - -

Hum, I missed that. The file is there and identical, so I wonder what destroyed the directory then. Maybe something happened when I switched to the backports but it's too old now.

Well, I don't want to loose you time thus closing the ticket.
Thanks for your help.
\_o<

--
Marc Dequènes

--- End Message ---