Re: chroot /var/run permissions
Hi John, Perhaps you could try to chown directory /var/named to named drwxrwx--- 3 named named Edwin Lee - Original Message - From: jo...@primebuchholz.com To: bind-users@lists.isc.org Sent: Wednesday, August 28, 2013 2:38:11 AM Subject: chroot /var/run permissions Greetings, I'm upgrading my bind installation on one of my hosts, and everything seems to be working properly although I'm getting a permissions error/warning in the log on startup: Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named.pid'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named/session.key'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: command channel listening on 127.0.0.1#953 Aug 27 14:24:45 flotsam named[13746]: the working directory is not writable Aug 27 14:24:45 flotsam named[13746]: all zones loaded This is in a chroot environment, and I'm starting a static-linked copy of named like this: /var/named/usr/sbin/named -t /var/named -u named. The permissions on the tree in questions are: /var/named/var: drwxrwx--- 3 root named 512 Aug 27 14:25 run /var/named/var/run: drwxrwx--- 2 root named 512 Aug 27 14:25 named After named starts, it creates /var/named/var/run/named.pid and /var/named/var/run/named/session.key with the following permissions: -rw-r--r-- 1 root named6 Aug 27 14:35 named.pid -rw--- 1 root named 102 Aug 27 14:35 session.key What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? Thanks, -John -- Please consider the environment before printing this e-mail. This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee, or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of the sender. If you are not the intended recipient, you are nevertheless bound to respect the sender's worldwide legal rights. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us by calling our Help Desk at (603) 433-1143, or e-mail to i...@primebuchholz.com. We appreciate your cooperation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot /var/run permissions
Hello John, jo...@primebuchholz.com writes: What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? If you are running BIND on some flavor of Linux with SELinux enabled, you might need to adjust the SELinux ruleset (recommended) or disable SELinux (not-recommended). SELinux can prevent named from writing files, even if the file-system permissions look correct. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
chroot /var/run permissions
Greetings, I'm upgrading my bind installation on one of my hosts, and everything seems to be working properly although I'm getting a permissions error/warning in the log on startup: Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named.pid'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named/session.key'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: command channel listening on 127.0.0.1#953 Aug 27 14:24:45 flotsam named[13746]: the working directory is not writable Aug 27 14:24:45 flotsam named[13746]: all zones loaded This is in a chroot environment, and I'm starting a static-linked copy of named like this: /var/named/usr/sbin/named -t /var/named -u named. The permissions on the tree in questions are: /var/named/var: drwxrwx--- 3 root named 512 Aug 27 14:25 run /var/named/var/run: drwxrwx--- 2 root named 512 Aug 27 14:25 named After named starts, it creates /var/named/var/run/named.pid and /var/named/var/run/named/session.key with the following permissions: -rw-r--r-- 1 root named6 Aug 27 14:35 named.pid -rw--- 1 root named 102 Aug 27 14:35 session.key What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? Thanks, -John -- Please consider the environment before printing this e-mail. This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee, or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of the sender. If you are not the intended recipient, you are nevertheless bound to respect the sender's worldwide legal rights. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us by calling our Help Desk at (603) 433-1143, or e-mail to i...@primebuchholz.com. We appreciate your cooperation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot /var/run permissions
/var/run/named.pid and /var/run/named/session.key need to be writable by named. Additionally their parent directories need to be writable by named so the files can be removed on shutdown. The files are not writable by named. -rw-r--r-- 1 root named6 Aug 27 14:35 named.pid -rw--- 1 root named 102 Aug 27 14:35 session.key Named attempts to write these files as user named and if that fails it switches user back to root and re-attempts to write these files. If it succeeds with the second attempt you get the error messages below. Once named has opened the sockets it permanently switches to the user named. Mark In message OF0617C08B.79D0B7F1-ON85257BD4.00659822-85257BD4.00665FAB@primebuch holz.com, jo...@primebuchholz.com writes: Greetings, I'm upgrading my bind installation on one of my hosts, and everything seems to be working properly although I'm getting a permissions error/warning in the log on startup: Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named.pid'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named/session.key'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: command channel listening on 127.0.0.1#953 Aug 27 14:24:45 flotsam named[13746]: the working directory is not writable Aug 27 14:24:45 flotsam named[13746]: all zones loaded This is in a chroot environment, and I'm starting a static-linked copy of named like this: /var/named/usr/sbin/named -t /var/named -u named. The permissions on the tree in questions are: /var/named/var: drwxrwx--- 3 root named 512 Aug 27 14:25 run /var/named/var/run: drwxrwx--- 2 root named 512 Aug 27 14:25 named After named starts, it creates /var/named/var/run/named.pid and /var/named/var/run/named/session.key with the following permissions: -rw-r--r-- 1 root named6 Aug 27 14:35 named.pid -rw--- 1 root named 102 Aug 27 14:35 session.key What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? Thanks, -John -- Please consider the environment before printing this e-mail. This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the informatio n herein by anyone other than the intended recipient, or an employee, or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of the sender. If you are not the intended recipient, you are nevertheless bound to respect the sender's worldwide legal rights. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us by calling our Help Desk at (603) 433-1143, or e-mail to i...@primebuchholz.com. We appreciate your cooperation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: chroot /var/run permissions
John, You should see if your full root on the box what permissions named has as a group and what the (bind/named) user has. If your running some restricting permissions via the sudoers you may need to lighten up to 775 from the chroot'd directory down giving the ownership the named group and named user. If the process does start and the permissions aren't right you will run into more errors like zone transfer fails and other things that require the process group and user to right into the directories where the zone files are stored. Just a thought but you may want to look into it. Regards, Ed On Tue, Aug 27, 2013 at 2:38 PM, jo...@primebuchholz.com wrote: Greetings, I'm upgrading my bind installation on one of my hosts, and everything seems to be working properly although I'm getting a permissions error/warning in the log on startup: Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named.pid'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: Required root permissions to open '/var/run/named/session.key'. Aug 27 14:24:45 flotsam named[13746]: Please check file and directory permissions or reconfigure the filename. Aug 27 14:24:45 flotsam named[13746]: command channel listening on 127.0.0.1#953 Aug 27 14:24:45 flotsam named[13746]: the working directory is not writable Aug 27 14:24:45 flotsam named[13746]: all zones loaded This is in a chroot environment, and I'm starting a static-linked copy of named like this: /var/named/usr/sbin/named -t /var/named -u named. The permissions on the tree in questions are: /var/named/var: drwxrwx--- 3 root named 512 Aug 27 14:25 run /var/named/var/run: drwxrwx--- 2 root named 512 Aug 27 14:25 named After named starts, it creates /var/named/var/run/named.pid and /var/named/var/run/named/session.key with the following permissions: -rw-r--r-- 1 root named6 Aug 27 14:35 named.pid -rw--- 1 root named 102 Aug 27 14:35 session.key What I am I missing here? /var/named/var/run and /var/named/var/run/named have group write permissions, so it seems it *shouldn't* be complaining, and the resulting files should've been owned by named, shouldn't they? Thanks, -John -- Please consider the environment before printing this e-mail. This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee, or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of the sender. If you are not the intended recipient, you are nevertheless bound to respect the sender's worldwide legal rights. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us by calling our Help Desk at (603) 433-1143, or e-mail to i...@primebuchholz.com . We appreciate your cooperation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
