Hi
Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up
being:
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Best regards
Anders Giversen
On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:
Hi MJ,
unfortunately I couldn't fix it. I tried one billion things, but
nothing worked. So I needed to go the hard way and commented this out
in /etc/systemd/system/multi-user.target.wants/nsd.service:
#CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Kind Regards,
Kaulkwappe
-------------------------
From: mj via nsd-users <[email protected] [1]>
Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
To: [email protected] [1]
Subject: [nsd-users] NSD still shows permission errors on Debian 10
Buster
Hi,
Subscribed specially to reply to the subject thread.
I am also trying to run nsd on debian buster, and it's not working so
nicely. :-)
error: Cannot open /var/log/nsd.log for appending (Read-only file
system), logging to stderr
warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
denied
I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service
file, but the error remains:
[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target
[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d
ExecReload=+/bin/kill -HUP $MAINPID
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
mount @obsolete @resources
[Install]
WantedBy=multi-user.target
I read in Paul Wouters reply to add nsd User/Group to the service
file,
but then nsd no longer starts, as the nsd user has no permission to
bind
to port 53:
error: can't bind udp socket: Permission denied
I wanted to migrate from bind to nsd, but it seems the debian package
could use some love. :-)
Does anyone have a suggestion how to proceed..? (a working systemd
file
perhaps?)
Thanks,
MJ
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
Links:
------
[1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
