Re: Master file permission denied

Wed, 28 Jun 2023 12:10:13 -0700 


Certainly, you pointed in the right direction :-)


Previously I've had setted up setgid bit to /etc/bind/zonas/ due to 
complains from apparmor. Now, I've removed that bit and added an 
override to such folder in /etc/apparmor.d/local/usr.sbin.named.


Et voila!


However, I wonder the reason behind such behaviour as -as mentioned- 
previously it was working just fine.


Thanks, regards

El 2023-06-28 15:51, Danilo Godec via bind-users escribió:


Hello,

I think

chmod ug+x /etc/bind/zonas/


should solve the issue by giving the owner (bind) and the group (bind) 
permissions to enter the directory.


Danilo

On 28.6.2023 20:44, Daniel Armando Rodriguez via bind-users wrote:


Before I start describing the problem, I should mention that this 
incident started when I tried to enable DNSSEC. I understand that it 
is unrelated, but previously everything was working correctly.


I'm using Debian 11 and Bind 9.18 from backports

This is current config

# named-checkconf -px
options {
directory "/var/cache/bind/";
listen-on  {
127.0.0.1/32;
170.210.45.130/32;
};
listen-on-v6  {
2800:110:44:6260::130/128;
};
querylog yes;
transfers-in 20;
transfers-per-ns 20;
version "Info not currently available";
allow-recursion {
"localhost";
::1/128;
170.210.0.0/16;
2800:110:44:6260::/64;
};
auth-nxdomain no;
recursion yes;
allow-query {
"any";
};
allow-transfer  {
"none";
};
key-directory "/var/cache/bind/keys";
masterfile-format text;
};
statistics-channels {
inet 127.0.0.1 port 8053 allow {
127.0.0.1/32;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "unau.edu.ar" {
type primary;
file "/etc/bind/zonas/db.unau.edu.ar";
allow-query {
"any";
};
allow-transfer  {
170.210.45.131/32;
};
allow-update {
"none";
};
also-notify {
170.210.45.131;
};
serial-update-method increment;
};
zone "133.45.210.170.in-addr.arpa" {
type primary;
file "/etc/bind/zonas/133.45.210.170.in-addr.arpa";
allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};

zone 
"3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa" 
{

type primary;

file 
"/etc/bind/zonas/3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa";

allow-transfer  {
170.210.45.131/32;
};
also-notify {
170.210.45.131;
};
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

File permissions

# ls -alh /etc/bind

-rw-r--r--   1 root root 2,4K feb 26 06:27 bind.keys
-rw-r--r--   1 root root  255 feb 26 06:27 db.0
-rw-r--r--   1 root root  271 jun 30  2017 db.127
-rw-r--r--   1 root root  237 jun 30  2017 db.255
-rw-r--r--   1 root root  353 jun 30  2017 db.empty
-rw-r--r--   1 root root  270 jun 30  2017 db.local
-rw-r--r--   1 root root 3,1K may  3  2019 db.root
-rw-r--r--   1 root bind  458 feb 26 06:27 named.conf
-rw-r--r--   1 root root 1,2K jun 28 15:06 named.conf.local
-rw-r--r--   1 root root 2,8K jun 27 17:44 named.conf.options
-rw-r-----   1 bind bind  144 may 17 13:51 rndc.key
drw-r-S---   2 bind bind 4,0K jun 28 14:55 zonas
-rw-r--r--   1 root root 1,3K jun 30  2017 zones.rfc1918

# ls -alh /etc/bind/zonas/
drw-r-S--- 2 bind bind 4,0K jun 28 14:55 .
drwxr-sr-x 3 root bind 4,0K jun 28 15:06 ..
-rwxr-xr-- 1 bind bind  323 ene 16 10:59 133.45.210.170.in-addr.arpa

-rwxr-xr-- 1 bind bind  394 ene 16 10:58 
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.6.4.4.0.0.0.1.1.0.0.0.8.2.ip6.arpa

-rwxr-xr-- 1 bind bind 5,4K jun 22 12:40 db.unau.edu.ar

Error messages


zone unau.edu.ar/IN: loading from master file 
/etc/bind/zonas/db.unau.edu.ar failed: permission denied

zone unau.edu.ar/IN: not loaded due to errors.

Named is running as bind user

I would be grateful for any enlightening ideas.

________________________________________________

Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar [1]


--

Danilo Godec | Sistemska podpora / System Administration

AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor


E: danilo.go...@agenda.si | T: +386 (0)2 421 61 31 | F: +386 (0)2 420 
06 90


Agenda OpenSystems [2] | Največji slovenski odprtokodni integrator

Red Hat v Sloveniji [3] | Red Hat Premier Business Partner

ElasticBox [4] | Poslovne rešitve v oblaku

[2]

Izjava o omejitvi odgovornosti / Legal disclaimer statement [5]


--
________________________________________________

 Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar [1]



Links:
------
[1] https://informatica.unau.edu.ar
[2] https://www.agenda.si/
[3] http://www.redhat.si/
[4] http://elasticbox.eu/
[5] https://www.agenda.si/index.php?id=228
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to