Re: [Pdns-users] pdns-recursor Permissions Error

[Steve Shipway]

From what I can see, your snmpd system will run /usr/local/bin/pdns_stats as 
the snmpd user. This user does not have write permission to the 
/var/run/pdns-recursor directory and so you get the error.
You could either make the /var/run/pdns-recursor mode 775 and group snmpd; or 
maybe add the snmpd user to the pdns group and make the directory mode 775. 
Note that you also need to have the same mode and ownership on the socket.
Hope this helps, sorry for the slow reply have been very busy
Steve


> On 09 January 2020 at 18:24 Sharone  wrote:
> 
> Hello Steve,
> 
> I appreciate your response. Below is what is inside  /etc/snmp/snmpd.conf 
> file
> 
> rocommunity public
> syslocation "Data Center"
> syscontact ad...@techs.co.ug mailto:ad...@techs.co.ug
> createUser admin SHA admin123! AES admin123!
> rouser admin authPriv
> extend pdns-rec /usr/local/bin/pdns_stats
> agentAddress udp:161,udp6:[::1]:161
> 
> /etc/default/snmpd
> 
> # This file controls the activity of snmpd
> 
> # Don't load any MIBs by default.
> # You might comment this lines once you have the MIBs downloaded.
> export MIBS=
> 
> # snmpd control (yes means start daemon).
> SNMPDRUN=yes
> 
> # snmpd options (use syslog, close stdin/out/err).
> SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I 
> -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
> 
> snmp service status
> 
> # systemctl status snmpd.service
> ● snmpd.service - LSB: SNMP agents
>Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset: enabled)
>Active: active (running) since Thu 2020-01-09 08:24:04 EAT; 4s ago
>  Docs: man:systemd-sysv-generator(8)
>   Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited, 
> status=0/SUCCESS)
>   Process: 703 ExecStart=/etc/init.d/snmpd start (code=exited, 
> status=0/SUCCESS)
> Tasks: 1
>Memory: 4.3M
>   CPU: 66ms
>CGroup: /system.slice/snmpd.service
>└─710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I 
> -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
> 
> Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
> Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:
> Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
> Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
> 
> Regards,
> Sharone
> 
> 
> On Wed, 8 Jan 2020 at 22:35, Steve Shipway < steve.ship...@smxemail.com 
> mailto:steve.ship...@smxemail.com > wrote:
> 
> > > On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
> > 
> > > > > # snmpwalk -v2c -c public localhost 
> > .1.3.6.1.4.1.8072.1.3.2.4.1.2
> > > 
> > > iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 = 
> > > STRING: "Fatal: Unable to generate local temporary file in directory 
> > > '/var/run/pdns-recursor': Permission denied"
> > > 
> > > > > 
> > A couple of thoughts here .  Either
> > - SElinux is doing its magic and blocking - this should be logged 
> > in the syslog if so, or
> > - Your SNMP is running with chroot enabled and 
> > /var/run/pdns-recursor doesn't exist in the chroot environment
> > -  rec_control is trying to generate a tmp file as the snmp user so 
> > doesn't have write permission.
> > - Your SNMP daemon is using a temporary file for the rec_control 
> > output which it is trying to put in /var/run/pdns-recursor
> > 
> > Being able to see your snmp daemon configuration would probably 
> > help with diagnosing this, so please post it here if possible.
> > 
> > Steve
> > 
> > 
> > --
> > Steve Shipway | Senior Email Systems Administrator 
> > Phone: +64 9 302 0515 Fax: +64 9 302 0518 
> > Freephone: 0800 SMX SMX (769 769) 
> > SMX Limited: Level 10, 19 Victoria Street West, Auckland, New 
> > Zealand 
> > Web: http://smxemail.com/  
> > 
> > 
> > 
> > 
> > 
> > This email has been  filtered by SMX. For more information visit 
> > http://smxemail.com/
> > 
> > 
> > 
> > 
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com 
> > mailto:Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > 
> > > 
 
_

This email has been filtered by SMX. For more info visit http://smxemail.com
_

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

Thank you all for the generous and tremendous support.
I have traffic on Cacti from my recursive servers now.
Have a lovely weekend.

Regards,
Sharone


On Fri, 10 Jan 2020 at 14:30, Brian Candler  wrote:

> On 10/01/2020 11:07, Sharone wrote:
>
> I have attempted to comment out the line  *extend pdns-rec
> /usr/local/bin/pdns_stats *in snmpd.conf file and still gotten the same
> error, however changing permissions to the entire directory to rwx worked
> but like you mentioned this indeed brings about a security issue.
>
> Oh well, if that works, you just do tighter permissions - e.g. changing
> the directory *group* to "snmp" or "Debian-snmp" as appropriate, and
> setting mode 775.
>
> This is what out-of-box recursor has:
>
> root@cache1:~# ls -ld /var/run/pdns-recursor
> drwxr-xr-x 2 pdns pdns 60 Dec 12 12:49 /var/run/pdns-recursor
>
> root@cache1:~# ls -l /var/run/pdns-recursor/
> total 0
> srwxr-xr-x 1 pdns pdns 0 Dec 12 12:49 pdns_recursor.controlsocket
>
> Using pdns:snmp and mode 775 should be fine.
>
> See also the perms for the socket itself:
> https://docs.powerdns.com/recursor/settings.html#socket-owner-socket-group-socket-mode
>
> HTH,
>
> Brian.
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Brian Candler]

On 10/01/2020 11:07, Sharone wrote:
I have attempted to comment out the line /extend pdns-rec 
/usr/local/bin/pdns_stats /in snmpd.conf file and still gotten the 
same error, however changing permissions to the entire directory to 
rwx worked but like you mentioned this indeed brings about a security 
issue. 


Oh well, if that works, you just do tighter permissions - e.g. changing 
the directory *group* to "snmp" or "Debian-snmp" as appropriate, and 
setting mode 775.


This is what out-of-box recursor has:

root@cache1:~# ls -ld /var/run/pdns-recursor
drwxr-xr-x 2 pdns pdns 60 Dec 12 12:49 /var/run/pdns-recursor

root@cache1:~# ls -l /var/run/pdns-recursor/
total 0
srwxr-xr-x 1 pdns pdns 0 Dec 12 12:49 pdns_recursor.controlsocket

Using pdns:snmp and mode 775 should be fine.

See also the perms for the socket itself: 
https://docs.powerdns.com/recursor/settings.html#socket-owner-socket-group-socket-mode


HTH,

Brian.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

Thank you, Otto. I have tried both options on a dummy server with exact
same setup.
I have attempted to comment out the line  *extend pdns-rec
/usr/local/bin/pdns_stats *in snmpd.conf file and still gotten the same
error, however changing permissions to the entire directory to rwx worked
but like you mentioned this indeed brings about a security issue.
This line is necessary in the snmpd.conf in order for us to poll statistics
onto Cacti from the recursive DNS servers.
This is working on other DNS servers with Ubuntu 16 except 2 servers and
this has been mindboggling.
I am running Apparmor (the default) and not SELinux on the servers.

Regards,
Sharone


On Fri, 10 Jan 2020 at 12:56, Otto Moerbeek via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> It looks like the rec_control line your snmpd.conf is triggering the
> problem. Likely the snmd subsystem starts rec_control as a user that
> does not have permission to write into /var/run/pdns-recursor.
>
> You can try disabling (by commenting it out) the
>
> extend pdns-rec /usr/local/bin/pdns_stats
>
> line or, if you really need it, change the permissions of the
> /var/run/pdns-recursor dir to include rwx for others.
>
> Not that the latter might have security implications on your system. You
> must decide if that is OK for you,
>
> -Otto
>
>
> On 2020-01-09 06:24, Sharone wrote:
> > Hello Steve,
> >
> > I appreciate your response. Below is what is inside
> > /etc/snmp/snmpd.conf file
> >
> > /rocommunity public
> > syslocation "Data Center"
> > syscontact ad...@techs.co.ug 
> > createUser admin SHA admin123! AES admin123!
> > rouser admin authPriv
> > extend pdns-rec /usr/local/bin/pdns_stats
> > agentAddress udp:161,udp6:[::1]:161/
> > /
> > /
> > //
> > /etc/default/snmpd
> > /
> > /
> > /# This file controls the activity of snmpd
> >
> > # Don't load any MIBs by default.
> > # You might comment this lines once you have the MIBs downloaded.
> > export MIBS=
> >
> > # snmpd control (yes means start daemon).
> > SNMPDRUN=yes
> >
> > # snmpd options (use syslog, close stdin/out/err).
> > SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
> > -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'/
> > /
> > /
> > snmp service status/
> > /
> > /
> > /
> > /# systemctl status snmpd.service
> > ● snmpd.service - LSB: SNMP agents
> >Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset: enabled)
> >Active: active (running) since Thu 2020-01-09 08:24:04 EAT; 4s ago
> >  Docs: man:systemd-sysv-generator(8)
> >   Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited,
> > status=0/SUCCESS)
> >   Process: 703 ExecStart=/etc/init.d/snmpd start (code=exited,
> > status=0/SUCCESS)
> > Tasks: 1
> >Memory: 4.3M
> >   CPU: 66ms
> >CGroup: /system.slice/snmpd.service
> >└─710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I
> > -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
> >
> > Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
> > Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:
> > Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
> > Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
> > /
> >
> > Regards,
> > Sharone
> >
> >
> > On Wed, 8 Jan 2020 at 22:35, Steve Shipway  > > wrote:
> >
> > On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
> >> /# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
> >> iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
> >> STRING: "Fatal: Unable to generate local temporary file in
> >> directory '/var/run/pdns-recursor': Permission denied"/
> >
> > A couple of thoughts here .  Either
> > - SElinux is doing its magic and blocking - this should be logged in
> > the syslog if so, or
> > - Your SNMP is running with chroot enabled and
> > /var/run/pdns-recursor doesn't exist in the chroot environment
> > -  rec_control is trying to generate a tmp file as the snmp user so
> > doesn't have write permission.
> > - Your SNMP daemon is using a temporary file for the rec_control
> > output which it is trying to put in /var/run/pdns-recursor
> >
> > Being able to see your snmp daemon configuration would probably help
> > with diagnosing this, so please post it here if possible.
> >
> > Steve
> >
> >
> > --
> > *Steve Shipway | *Senior Email Systems Administrator
> > *Phone:* +64 9 302 0515 *Fax:* +64 9 302 0518
> > *Freephone:* 0800 SMX SMX (769 769)
> > *SMX Limited:* Level 10, 19 Victoria Street West, Auckland, New
> Zealand
> > *Web:* http://smxemail.com 
> >
> > This email has been filtered by SMX. For more information
> > visit smxemail.com 
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com  

Re: [Pdns-users] pdns-recursor Permissions Error

[Brian Candler]

On 10/01/2020 09:56, Otto Moerbeek via Pdns-users wrote:

It looks like the rec_control line your snmpd.conf is triggering the
problem. Likely the snmd subsystem starts rec_control as a user that
does not have permission to write into /var/run/pdns-recursor.

You can try disabling (by commenting it out) the

extend pdns-rec /usr/local/bin/pdns_stats

line or, if you really need it, change the permissions of the
/var/run/pdns-recursor dir to include rwx for others.

Not that the latter might have security implications on your system. You
must decide if that is OK for you,


As someone mentioned before: if this is an SELinux environment (e.g. 
CentOS/RedHat), snmpd may be prevented from accessing files in random 
directories, even if normal file/directory perms allow it.


Similar situation: I was using snmpd-mdraid-connector and 
snmpd-smartctl-connector, with these lines in snmpd.conf:


pass_persist .1.3.6.1.4.1.38696.2.1 /usr/sbin/snmpd-smartctl-connector
pass_persist .1.3.6.1.4.1.38696.2.2 /usr/sbin/snmpd-mdraid-connector

There is a separate cronjob which writes files that these connectors 
read.  To make these work, I had to ensure all the files were written 
under /var/cache/snmp, and set the selinux type to `snmpd_var_run_t`


In ansible-ese:

- name: create cache dir
  action: file path={{item}} state=directory setype=snmpd_var_run_t
  with_items:
    - /var/cache/snmp
    - /var/cache/snmp/mdadm
    - /var/cache/snmp/smartctl

You can test if this is the problem by putting selinux into permissive 
mode temporarily, before digging down further into exact what the 
required fix is.


Alternatively: move away from using SNMP for collecting host and service 
information.  Almost anything is better.  Prometheus + node_exporter is 
my favourite solution.


Regards,

Brian.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Otto Moerbeek via Pdns-users]

It looks like the rec_control line your snmpd.conf is triggering the
problem. Likely the snmd subsystem starts rec_control as a user that
does not have permission to write into /var/run/pdns-recursor.

You can try disabling (by commenting it out) the

extend pdns-rec /usr/local/bin/pdns_stats

line or, if you really need it, change the permissions of the
/var/run/pdns-recursor dir to include rwx for others.

Not that the latter might have security implications on your system. You
must decide if that is OK for you,

-Otto


On 2020-01-09 06:24, Sharone wrote:
> Hello Steve,
> 
> I appreciate your response. Below is what is inside 
> /etc/snmp/snmpd.conf file
> 
> /rocommunity public
> syslocation "Data Center"
> syscontact ad...@techs.co.ug 
> createUser admin SHA admin123! AES admin123!
> rouser admin authPriv
> extend pdns-rec /usr/local/bin/pdns_stats
> agentAddress udp:161,udp6:[::1]:161/
> /
> /
> //
> /etc/default/snmpd
> /
> /
> /# This file controls the activity of snmpd
> 
> # Don't load any MIBs by default.
> # You might comment this lines once you have the MIBs downloaded.
> export MIBS=
> 
> # snmpd control (yes means start daemon).
> SNMPDRUN=yes
> 
> # snmpd options (use syslog, close stdin/out/err).
> SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
> -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'/
> /
> /
> snmp service status/
> /
> /
> /
> /# systemctl status snmpd.service
> ● snmpd.service - LSB: SNMP agents
>    Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset: enabled)
>    Active: active (running) since Thu 2020-01-09 08:24:04 EAT; 4s ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited,
> status=0/SUCCESS)
>   Process: 703 ExecStart=/etc/init.d/snmpd start (code=exited,
> status=0/SUCCESS)
>     Tasks: 1
>    Memory: 4.3M
>       CPU: 66ms
>    CGroup: /system.slice/snmpd.service
>            └─710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I
> -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
> 
> Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
> Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:
> Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
> Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
> /
> 
> Regards,
> Sharone
> 
> 
> On Wed, 8 Jan 2020 at 22:35, Steve Shipway  > wrote:
> 
> On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
>> /# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
>> iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
>> STRING: "Fatal: Unable to generate local temporary file in
>> directory '/var/run/pdns-recursor': Permission denied"/
> 
> A couple of thoughts here .  Either
> - SElinux is doing its magic and blocking - this should be logged in
> the syslog if so, or
> - Your SNMP is running with chroot enabled and
> /var/run/pdns-recursor doesn't exist in the chroot environment
> -  rec_control is trying to generate a tmp file as the snmp user so
> doesn't have write permission.
> - Your SNMP daemon is using a temporary file for the rec_control
> output which it is trying to put in /var/run/pdns-recursor
> 
> Being able to see your snmp daemon configuration would probably help
> with diagnosing this, so please post it here if possible.
> 
> Steve
> 
> 
> -- 
> *Steve Shipway | *Senior Email Systems Administrator 
> *Phone:* +64 9 302 0515 *Fax:* +64 9 302 0518 
> *Freephone:* 0800 SMX SMX (769 769) 
> *SMX Limited:* Level 10, 19 Victoria Street West, Auckland, New Zealand 
> *Web:* http://smxemail.com  
> 
> This email has been filtered by SMX. For more information
> visit smxemail.com 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

-- 
kind regards,
Otto Moerbeek
PowerDNS Developer

Email: otto.moerb...@open-xchange.com



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

Hello Steve,

I appreciate your response. Below is what is inside  /etc/snmp/snmpd.conf
file







*rocommunity publicsyslocation "Data Center"syscontact ad...@techs.co.ug
createUser admin SHA admin123! AES admin123!rouser admin
authPrivextend pdns-rec /usr/local/bin/pdns_statsagentAddress
udp:161,udp6:[::1]:161*

/etc/default/snmpd











*# This file controls the activity of snmpd# Don't load any MIBs by
default.# You might comment this lines once you have the MIBs
downloaded.export MIBS=# snmpd control (yes means start
daemon).SNMPDRUN=yes# snmpd options (use syslog, close
stdin/out/err).SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
-smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'*

snmp service status


















*# systemctl status snmpd.service● snmpd.service - LSB: SNMP agents
 Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset: enabled)   Active:
active (running) since Thu 2020-01-09 08:24:04 EAT; 4s ago Docs:
man:systemd-sysv-generator(8)  Process: 694 ExecStop=/etc/init.d/snmpd stop
(code=exited, status=0/SUCCESS)  Process: 703 ExecStart=/etc/init.d/snmpd
start (code=exited, status=0/SUCCESS)Tasks: 1   Memory: 4.3M  CPU:
66ms   CGroup: /system.slice/snmpd.service   └─710 /usr/sbin/snmpd
-Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p
/run/snmpd.pidJan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP
agents...Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:Jan
09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.Jan 09 08:24:04
vdns-50 snmpd[710]: NET-SNMP version 5.7.3*

Regards,
Sharone


On Wed, 8 Jan 2020 at 22:35, Steve Shipway 
wrote:

> On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
>
>
> *# snmpwalk -v2c -c public localhost
> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> = STRING: "Fatal: Unable to generate local temporary file in directory
> '/var/run/pdns-recursor': Permission denied"*
>
>
> A couple of thoughts here .  Either
> - SElinux is doing its magic and blocking - this should be logged in the
> syslog if so, or
> - Your SNMP is running with chroot enabled and /var/run/pdns-recursor
> doesn't exist in the chroot environment
> -  rec_control is trying to generate a tmp file as the snmp user so
> doesn't have write permission.
> - Your SNMP daemon is using a temporary file for the rec_control output
> which it is trying to put in /var/run/pdns-recursor
>
> Being able to see your snmp daemon configuration would probably help with
> diagnosing this, so please post it here if possible.
>
> Steve
>
>
> --
> *Steve Shipway | *Senior Email Systems Administrator
> *Phone:* +64 9 302 0515 *Fax:* +64 9 302 0518
> *Freephone:* 0800 SMX SMX (769 769)
> *SMX Limited:* Level 10, 19 Victoria Street West, Auckland, New Zealand
> *Web:* http://smxemail.com
>
> This email has been filtered by SMX. For more information visit
> smxemail.com
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Steve Shipway]

On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
> # snmpwalk -v2c -c public localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
> iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
> STRING: "Fatal: Unable to generate local temporary file in directory
> '/var/run/pdns-recursor': Permission denied"


A couple of thoughts here .  Either
- SElinux is doing its magic and blocking - this should be logged in the syslog 
if so, or
- Your SNMP is running with chroot enabled and /var/run/pdns-recursor doesn't 
exist in the chroot environment
-  rec_control is trying to generate a tmp file as the snmp user so doesn't 
have write permission.
- Your SNMP daemon is using a temporary file for the rec_control output which 
it is trying to put in /var/run/pdns-recursor









-- 
Steve Shipway | Senior Email Systems Administrator 
Phone: +64 9 302 0515 Fax: +64 9 302 0518 
Freephone: 0800 SMX SMX (769 769) 
SMX Limited: Level 10, 19 Victoria Street West, Auckland, New Zealand 
Web: http://smxemail.com 

_

This email has been filtered by SMX. For more info visit http://smxemail.com
_

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

Hi Michael,
I failed to find anything useful in the audit.log file as you recommended
besides failed login attempts.
Thought I'd share this as well

# ps auxw | grep snmp
snmp 24569  0.0  0.1  65068  8564 ?S09:28   0:07
/usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger
mteTriggerConf -p /run/snmpd.pid
root 26031  0.0  0.0  12940   968 pts/0S+   12:03   0:00 grep
--color=auto snmp

# ps auxw | grep pdns
pdns 25624  0.1  0.1 1416756 16036 ?   Ssl  11:11   0:03
/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog
--log-timestamp=no
root 26036  0.0  0.0  12940  1084 pts/0S+   12:04   0:00 grep
--color=auto pdns

# netstat -nl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address State

tcp0  0 10.157.4.178:53 0.0.0.0:*   LISTEN

tcp0  0 41.210.187.101:53   0.0.0.0:*   LISTEN

tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN

tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN

tcp6   0  0 :::22   :::*LISTEN

udp0  0 10.157.4.178:53 0.0.0.0:*

udp0  0 41.210.187.101:53   0.0.0.0:*

udp0  0 127.0.0.1:530.0.0.0:*

udp0  0 0.0.0.0:161 0.0.0.0:*

udp6   0  0 ::1:161 :::*

Active UNIX domain sockets (only servers)
Proto RefCnt Flags   Type   State I-Node   Path
unix  2  [ ACC ] STREAM LISTENING 664628
/run/user/1000/systemd/private
unix  2  [ ACC ] STREAM LISTENING 620630
/run/user/1001/systemd/private
unix  2  [ ACC ] SEQPACKET  LISTENING 11972/run/udev/control
unix  2  [ ACC ] STREAM LISTENING 14915
 /run/uuidd/request
unix  2  [ ACC ] STREAM LISTENING 15150
 /var/run/dbus/system_bus_socket
unix  2  [ ACC ] STREAM LISTENING 15047
 /var/lib/lxd/unix.socket
unix  2  [ ACC ] STREAM LISTENING 15151/run/snapd.socket
unix  2  [ ACC ] STREAM LISTENING 15152
 /run/snapd-snap.socket
unix  2  [ ACC ] STREAM LISTENING 11885
 /run/systemd/private
unix  2  [ ACC ] STREAM LISTENING 11967
 /run/systemd/journal/stdout
unix  2  [ ACC ] STREAM LISTENING 11969
 /run/lvm/lvmetad.socket
unix  2  [ ACC ] STREAM LISTENING 11970
 /run/systemd/fsck.progress
unix  2  [ ACC ] STREAM LISTENING 10457
 /run/lvm/lvmpolld.socket
unix  2  [ ACC ] STREAM LISTENING 18924
 /var/run/fail2ban/fail2ban.sock
unix  2  [ ACC ] STREAM LISTENING 16697
 @ISCSIADM_ABSTRACT_NAMESPACE
unix  2  [ ACC ] STREAM LISTENING 15070
 /run/acpid.socket#


Regards,
Sharone B.


On Tue, 7 Jan 2020 at 22:02, Michael Ströder  wrote:

> On 1/7/20 3:00 PM, Sharone Bakara wrote:
> > On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
> >> On 1/7/20 2:41 PM, Sharone wrote:
> >>> '/var/run/pdns-recursor': Permission denied"*
> >> I'm not sure of what your SNMP setup is, but it looks like the user
> >> invoking rec_control does not have the rights to create a new file in
> >> /var/run/pdns-recursor. What happens if you invoke the rec_control
> >> command directly as the 'pdns' user?
> >
> > I get the same error as when I run it root.
>
> Whenever "permissions denied" happens while running an action as root
> I'd check whether SELinux or AppArmor blocks some access.
> => check your audit log (assuming you're running auditd)
>
> Ciao, Michael.
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

Hi Remi,
Sorry looks like I may have misinterpreted your question.
Even when invoke the command rec_control version as myself I do get an
error.


*$ rec_control versionFatal: Unable to generate local temporary file in
directory '/var/run/pdns-recursor': Permission denied*


Regards,
Sharone B.


On Tue, 7 Jan 2020 at 16:55, Remi Gacogne  wrote:

> On 1/7/20 2:41 PM, Sharone wrote:
> > I apologize if this has been discussed before. I cannot seem to find a
> > solution that works at the moment. I am trying to have this server poll
> > data but I have the error below when I try to snmpwalk
> >
> > * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
> >
> >
> > *# snmpwalk -v2c -c public localhost
> >
> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> > = STRING: "Fatal: Unable to generate local temporary file in directory
> > '/var/run/pdns-recursor': Permission denied"*
>
> I'm not sure of what your SNMP setup is, but it looks like the user
> invoking rec_control does not have the rights to create a new file in
> /var/run/pdns-recursor. What happens if you invoke the rec_control
> command directly as the 'pdns' user?
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone]

The issue is that I need to be able to poll data from the recursive DNS
server, however I have been having trouble with permissions. This is the
error I get when I run snmpwalk from the server.


*# snmpwalk -v2c -c public localhost
.1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
= STRING: "Fatal: Unable to generate local temporary file in directory
'/var/run/pdns-recursor': Permission denied"*

Below is what I get when I run the command rec_control as user pdns


*# su -c "rec_control version" -s /bin/sh
pdns4.3.0-beta1.52.master.ga9d432dc0*

Starting the recursor service

























*# systemctl status pdns-recursor.service ● pdns-recursor.service -
PowerDNS Recursor   Loaded: loaded
(/lib/systemd/system/pdns-recursor.service; enabled; vendor preset:
enabled)   Active: active (running) since Wed 2020-01-08 08:11:07 EAT;
14min ago Docs: man:pdns_recursor(1)   man:rec_control(1)
 https://doc.powerdns.com  Main PID: 22993
(pdns_recursor)Tasks: 19   Memory: 6.4M  CPU: 1.479s   CGroup:
/system.slice/pdns-recursor.service   └─22993
/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog
--log-timestamp=noJan 08 08:11:07 vdns-50 pdns_recursor[22993]: Done
priming cache with root hintsJan 08 08:11:07 vdns-50 pdns_recursor[22993]:
Done priming cache with root hintsJan 08 08:11:07 vdns-50
pdns_recursor[22993]: Done priming cache with root hintsJan 08 08:11:07
vdns-50 pdns_recursor[22993]: Done priming cache with root hintsJan 08
08:11:07 vdns-50 pdns_recursor[22993]: Done priming cache with root
hintsJan 08 08:11:07 vdns-50 systemd[1]: Started PowerDNS Recursor.Jan 08
08:11:07 vdns-50 pdns_recursor[22993]: Done priming cache with root
hintsJan 08 08:11:07 vdns-50 pdns_recursor[22993]: Done priming cache with
root hintsJan 08 08:11:07 vdns-50 pdns_recursor[22993]: Done priming cache
with root hintsJan 08 08:11:07 vdns-50 pdns_recursor[22993]: Enabled
'epoll' multiplexer*

Hope this is clearer now
Regards,
Sharone B.


On Tue, 7 Jan 2020 at 18:15, Otto Moerbeek  wrote:

> On Tue, Jan 07, 2020 at 05:00:08PM +0300, Sharone Bakara wrote:
>
> > I get the same error as when I run it root.
> >
> > Regards,
> > SB
>
> Can you please make a new mail with the exact commands and the error
> messages? Your message seems to be misformatted.  It is confusing,
> since the error message seems to come from rec_control, but is below a
> snmpwalk command.
>
> So exact commands and exact error messages, please.
>
> -Otto
>
> >
> > > On 7 Jan 2020, at 16:55, Remi Gacogne 
> wrote:
> > >
> > > On 1/7/20 2:41 PM, Sharone wrote:
> > >> I apologize if this has been discussed before. I cannot seem to find a
> > >> solution that works at the moment. I am trying to have this server
> poll
> > >> data but I have the error below when I try to snmpwalk
> > >>
> > >> * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
> > >>
> > >>
> > >> *# snmpwalk -v2c -c public localhost
> > >>
> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> > >> = STRING: "Fatal: Unable to generate local temporary file in directory
> > >> '/var/run/pdns-recursor': Permission denied"*
> > >
> > > I'm not sure of what your SNMP setup is, but it looks like the user
> > > invoking rec_control does not have the rights to create a new file in
> > > /var/run/pdns-recursor. What happens if you invoke the rec_control
> > > command directly as the 'pdns' user?
> > >
> > > Best regards,
> > > --
> > > Remi Gacogne
> > > PowerDNS.COM BV - https://www.powerdns.com/
> > >
> > > ___
> > > Pdns-users mailing list
> > > Pdns-users@mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Michael Ströder]

On 1/7/20 3:00 PM, Sharone Bakara wrote:
> On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
>> On 1/7/20 2:41 PM, Sharone wrote:
>>> '/var/run/pdns-recursor': Permission denied"*
>> I'm not sure of what your SNMP setup is, but it looks like the user
>> invoking rec_control does not have the rights to create a new file in
>> /var/run/pdns-recursor. What happens if you invoke the rec_control
>> command directly as the 'pdns' user?
>
> I get the same error as when I run it root.

Whenever "permissions denied" happens while running an action as root
I'd check whether SELinux or AppArmor blocks some access.
=> check your audit log (assuming you're running auditd)

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Otto Moerbeek]

On Tue, Jan 07, 2020 at 04:15:16PM +0100, Otto Moerbeek wrote:

> On Tue, Jan 07, 2020 at 05:00:08PM +0300, Sharone Bakara wrote:
> 
> > I get the same error as when I run it root.
> > 
> > Regards,
> > SB
> 
> Can you please make a new mail with the exact commands and the error
> messages? Your message seems to be misformatted.  It is confusing,
> since the error message seems to come from rec_control, but is below a
> snmpwalk command.
> 
> So exact commands and exact error messages, please.

and your recursor.conf plus how did you start the recursor is also important.

> 
>   -Otto
> 
> > 
> > > On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
> > > 
> > > On 1/7/20 2:41 PM, Sharone wrote:
> > >> I apologize if this has been discussed before. I cannot seem to find a
> > >> solution that works at the moment. I am trying to have this server poll
> > >> data but I have the error below when I try to snmpwalk
> > >> 
> > >> * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
> > >> 
> > >> 
> > >> *# snmpwalk -v2c -c public localhost
> > >> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> > >> = STRING: "Fatal: Unable to generate local temporary file in directory
> > >> '/var/run/pdns-recursor': Permission denied"*
> > > 
> > > I'm not sure of what your SNMP setup is, but it looks like the user
> > > invoking rec_control does not have the rights to create a new file in
> > > /var/run/pdns-recursor. What happens if you invoke the rec_control
> > > command directly as the 'pdns' user?
> > > 
> > > Best regards,
> > > -- 
> > > Remi Gacogne
> > > PowerDNS.COM BV - https://www.powerdns.com/
> > > 
> > > ___
> > > Pdns-users mailing list
> > > Pdns-users@mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Otto Moerbeek]

On Tue, Jan 07, 2020 at 05:00:08PM +0300, Sharone Bakara wrote:

> I get the same error as when I run it root.
> 
> Regards,
> SB

Can you please make a new mail with the exact commands and the error
messages? Your message seems to be misformatted.  It is confusing,
since the error message seems to come from rec_control, but is below a
snmpwalk command.

So exact commands and exact error messages, please.

-Otto

> 
> > On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
> > 
> > On 1/7/20 2:41 PM, Sharone wrote:
> >> I apologize if this has been discussed before. I cannot seem to find a
> >> solution that works at the moment. I am trying to have this server poll
> >> data but I have the error below when I try to snmpwalk
> >> 
> >> * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
> >> 
> >> 
> >> *# snmpwalk -v2c -c public localhost
> >> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> >> = STRING: "Fatal: Unable to generate local temporary file in directory
> >> '/var/run/pdns-recursor': Permission denied"*
> > 
> > I'm not sure of what your SNMP setup is, but it looks like the user
> > invoking rec_control does not have the rights to create a new file in
> > /var/run/pdns-recursor. What happens if you invoke the rec_control
> > command directly as the 'pdns' user?
> > 
> > Best regards,
> > -- 
> > Remi Gacogne
> > PowerDNS.COM BV - https://www.powerdns.com/
> > 
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Sharone Bakara]

I get the same error as when I run it root.

Regards,
SB

> On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
> 
> On 1/7/20 2:41 PM, Sharone wrote:
>> I apologize if this has been discussed before. I cannot seem to find a
>> solution that works at the moment. I am trying to have this server poll
>> data but I have the error below when I try to snmpwalk
>> 
>> * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
>> 
>> 
>> *# snmpwalk -v2c -c public localhost
>> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
>> = STRING: "Fatal: Unable to generate local temporary file in directory
>> '/var/run/pdns-recursor': Permission denied"*
> 
> I'm not sure of what your SNMP setup is, but it looks like the user
> invoking rec_control does not have the rights to create a new file in
> /var/run/pdns-recursor. What happens if you invoke the rec_control
> command directly as the 'pdns' user?
> 
> Best regards,
> -- 
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

[Remi Gacogne]

On 1/7/20 2:41 PM, Sharone wrote:
> I apologize if this has been discussed before. I cannot seem to find a
> solution that works at the moment. I am trying to have this server poll
> data but I have the error below when I try to snmpwalk
>  
> * # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*
> 
> 
> *# snmpwalk -v2c -c public localhost
> .1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
> = STRING: "Fatal: Unable to generate local temporary file in directory
> '/var/run/pdns-recursor': Permission denied"*

I'm not sure of what your SNMP setup is, but it looks like the user
invoking rec_control does not have the rights to create a new file in
/var/run/pdns-recursor. What happens if you invoke the rec_control
command directly as the 'pdns' user?

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] pdns-recursor Permissions Error

[Sharone]

I apologize if this has been discussed before. I cannot seem to find a
solution that works at the moment. I am trying to have this server poll
data but I have the error below when I try to snmpwalk


* # sudo -u pdns rec_control version4.3.0-beta1.39.master.g0c1ebf7c*


*# snmpwalk -v2c -c public localhost
.1.3.6.1.4.1.8072.1.3.2.4.1.2iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1
= STRING: "Fatal: Unable to generate local temporary file in directory
'/var/run/pdns-recursor': Permission denied"*

*Permissions*
*drwxr-xr-x  2 pdns pdns   60 Jan  7 16:31 pdns-recursor/*

*srwxrwxrwx  1 pdns pdns   0 Jan  7 16:21 pdns_recursor.controlsocket=*

*OS details*










*NAME="Ubuntu"VERSION="16.04.6 LTS (Xenial
Xerus)"ID=ubuntuID_LIKE=debianPRETTY_NAME="Ubuntu 16.04.6
LTS"VERSION_ID="16.04"HOME_URL="http://www.ubuntu.com/
"SUPPORT_URL="http://help.ubuntu.com/
"BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/
"VERSION_CODENAME=xenialUBUNTU_CODENAME=xenial*

I'd be glad to share any more info to have this resolved. Thank you.

Regards,
Sharone
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users