Re: [dnsdist] dnsdist 1.5.1 on Debian 10.8: snmpd socket and privileges
On 23. 02. 21 20:29, Mark Moseley via dnsdist wrote: On Tue, Feb 23, 2021 at 7:49 AM Remi Gacogne via dnsdist mailto:dnsdist@mailman.powerdns.com>> wrote: Hi Aleš, On 2/23/21 4:35 PM, Aleš Rygl via dnsdist wrote: > My idea was that changing mode of agentx directory above to 755 could > help but it is not like that. I had to force dnsdist to run with root > privileges to make it work again. > > What should be the correct setup to run dnsdist under _dnsdist account > again and SNMP enabled? I _think_ you should be able to change the permissions on the directory once, and it should stay that way, but you probably also need to set the permissions on the socket itself. The documentation [1] states that you can do that in snmpd.conf, and our own CI actually does: agentxperms 0700 0755 Which should set the socket permissions to 0700 and the directory permissions to 0755. So if the socket is owned by _dnsdist, I think that should work: agentxperms 0700 0755 _dnsdist _dnsdist Or if you need to play nice with other things on the system (maybe other subagents are running): agentxperms 0770 0770 root agentxusers and create a unix group called 'agentxusers' with _dnsdist in it (and then you can add other users requiring subagent access to that group) Hi Remi, Thanks for your immediate response. It works like a magic! Now I remember there were such options in snmd.conf. I should have read the documentation more carefully before asking :-) The only thing I can say to my apology is that there was no need to touch previous version for more than eight months! Amazing! @Mark, thanks. I was also considering this option. Cheers Ales ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist 1.5.1 on Debian 10.8: snmpd socket and privileges
On Tue, Feb 23, 2021 at 7:49 AM Remi Gacogne via dnsdist < dnsdist@mailman.powerdns.com> wrote: > Hi Aleš, > > On 2/23/21 4:35 PM, Aleš Rygl via dnsdist wrote: > > My idea was that changing mode of agentx directory above to 755 could > > help but it is not like that. I had to force dnsdist to run with root > > privileges to make it work again. > > > > What should be the correct setup to run dnsdist under _dnsdist account > > again and SNMP enabled? > > I _think_ you should be able to change the permissions on the directory > once, and it should stay that way, but you probably also need to set the > permissions on the socket itself. The documentation [1] states that you > can do that in snmpd.conf, and our own CI actually does: > > agentxperms 0700 0755 > > Which should set the socket permissions to 0700 and the directory > permissions to 0755. So if the socket is owned by _dnsdist, I think that > should work: > > agentxperms 0700 0755 _dnsdist _dnsdist > > Or if you need to play nice with other things on the system (maybe other subagents are running): agentxperms 0770 0770 root agentxusers and create a unix group called 'agentxusers' with _dnsdist in it (and then you can add other users requiring subagent access to that group) ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] dnsdist 1.5.1 on Debian 10.8: snmpd socket and privileges
Hi Aleš, On 2/23/21 4:35 PM, Aleš Rygl via dnsdist wrote: My idea was that changing mode of agentx directory above to 755 could help but it is not like that. I had to force dnsdist to run with root privileges to make it work again. What should be the correct setup to run dnsdist under _dnsdist account again and SNMP enabled? I _think_ you should be able to change the permissions on the directory once, and it should stay that way, but you probably also need to set the permissions on the socket itself. The documentation [1] states that you can do that in snmpd.conf, and our own CI actually does: agentxperms 0700 0755 Which should set the socket permissions to 0700 and the directory permissions to 0755. So if the socket is owned by _dnsdist, I think that should work: agentxperms 0700 0755 _dnsdist _dnsdist [1]: https://dnsdist.org/advanced/snmp.html -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] dnsdist 1.5.1 on Debian 10.8: snmpd socket and privileges
Hello, I am struggling a bit on dnsdist after upgrade to from 1.4.0 to 1.5.1. I am using Debian 10.8 and dnsdist with SNMP support enabled. It looks like dnsdist systemd unit file forces dnsdist to drop privileges to _dnsdist user and _dnsdist group in 1.5.1: [Service] ExecStartPre=/usr/bin/dnsdist --check-config # Note: when editing the ExecStart command, keep --supervised and --disable-syslog ExecStart=/usr/bin/dnsdist --supervised --disable-syslog User=_dnsdist Group=_dnsdist The issue is that with such options it can not reach snmpd socket any more: Feb 23 15:19:14 rzt-dns-lb2 dnsdist[20011]: Warning: Failed to connect to the agentx master agent (/var/agentx/master): The permisions to the socket file (Debian default): # ll /var total 56 drwx-- 2 root root 4096 Sep 23 16:59 agentx ll /var/agentx total 0 srwxr-xr-x 1 root root 0 Feb 23 15:32 bmc srwxr-xr-x 1 root root 0 Feb 23 16:01 master # ll /var/agentx /var/agentx/master srwxr-xr-x 1 root root 0 Feb 23 16:01 /var/agentx/master My idea was that changing mode of agentx directory above to 755 could help but it is not like that. I had to force dnsdist to run with root privileges to make it work again. What should be the correct setup to run dnsdist under _dnsdist account again and SNMP enabled? Many thanks With regards Ales ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist