[Pdns-users] socket-dir perms for pdns UID/GID not sufficient : "Unable to bind to control socket ... reason: Permission denied". 'o+w' dir perms required?

Thu, 29 Dec 2016 16:02:32 -0800 

This post

        [Pdns-users] control socket permissions
         
https://mailman.powerdns.com/pipermail/pdns-users/2011-September/020182.html

suggests that 

        If 'setgid' _is_ present, powerdns will run with that group ID; the 
socket will be set to that group ID too and permissions on the socket will be 
changed to 660.

I've installed

        dig chaos txt version.bind @127.0.0.1 -p 15301 +short
                "PowerDNS Authoritative Server 4.0.1-264-g50e4ab365 (built Dec 
29 2016 09:49:29 by a...@dns.example.com)"

My config includes

        cat /usr/local/etc/powerdns/pdns.conf
                ...
                #chroot=/var/pdns
                socket-dir=/var/pdns
                setgid=pdns
                setuid=pdns
                ...

I've set 

        chmod 0775 /var/pdns
        chown pdns:pdns /var/pdns
        ls -ld /var/pdns
                drwxrwxr-x 2 pdns pdns 4.0K Dec 29 15:52 /var/pdns/

On exec

        rm -f /var/pdns/pdns.controlsocket
        systemctl start pdns

it fails.  Logs report,

        ...
        Dec 29 15:53:45 dns pdns[12445]: This is a standalone pdns
        Dec 29 15:53:45 dns pdns[12445]: Unable to bind to control socket at 
'/var/pdns/pdns.controlsocket', reason: Permission denied
        ...

Otoh, if

        rm -f /var/pdns/pdns.controlsocket
        chmod o+w /var/pdns
        ls -ld /var/pdns
                drwxrwxrwx 2 pdns pdns 4.0K Dec 29 15:52 /var/pdns/
        systemctl start pdns

it's successful

        tail -f /var/log/pdns/pdns.log
                ...
                Dec 29 15:44:24 dns pdns[31649]: Creating backend connection 
for TCP
                Dec 29 15:44:24 dns pdns[31649]: Master/slave communicator 
launching
                Dec 29 15:44:24 dns pdns[31649]: No new unfresh slave domains, 
0 queued for AXFR already, 0 in progress
                Dec 29 15:44:24 dns pdns[31649]: No master domains need 
notifications
                Dec 29 15:44:24 dns pdns[31649]: About to create 3 backend 
threads for UDP
                Dec 29 15:44:24 dns pdns[31649]: Done launching threads, ready 
to distribute questions
        ls -al /var/pdns/
                total 40K
                drwxrwxrwx  2 pdns pdns 4.0K Dec 29 15:44 ./
                drwxr-xr-x 27 root root 4.0K Dec 29 10:13 ../
                srw-rw----  1 root pdns    0 Dec 29 15:44 pdns.controlsocket=
                -rw-------  1 pdns pdns  26K Dec 29 10:14 powerdns.sqlite3

Why are o+w perms required for the socket directory?  Shouldn't 'pdns' uid/gid 
be sufficient?

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to