Package: bind9
Version: 1:9.16.11-2~bpo10+1
Quack,
I got these errors at startup:
Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named':
Permission denied
Mar 26 08:51:46 Orfeo named[14057]: generating session key for dynamic
DNS
Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named':
Permission denied
Mar 26 08:51:46 Orfeo named[14057]: could not create
/run/named/session.key
Mar 26 08:51:46 Orfeo named[14057]: failed to generate session key for
dynamic DNS: permission denied
and apparmor is unhappy:
type=AVC msg=audit(1616745106.778:13945868): apparmor="DENIED"
operation="mkdir" profile="named" name="/run/named/" pid=14057
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102
ouid=102
type=AVC msg=audit(1616745106.778:13945869): apparmor="DENIED"
operation="mkdir" profile="named" name="/run/named/" pid=14057
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102
ouid=102
Creating the directory _after_ changing user is clearly a problem that
should be fixed in Bind, so changing the apparmor profile would not
help.
I added this in the service file:
ExecStartPre=/bin/mkdir -p /run/named
ExecStartPre=/bin/chown bind: /run/named
and it works now:
# ls -la /run/named/
total 8
drwxr-xr-x 2 bind bind 80 Mar 26 09:06 .
drwxr-xr-x 40 root root 1300 Mar 26 09:06 ..
-rw-r--r-- 1 bind bind 6 Mar 26 09:06 named.pid
-rw------- 1 bind bind 102 Mar 26 09:06 session.key
but of course the directory is not cleaned when the service stops.
I think the best would be to reconsider this PR at least partially and
run the service directly as `bind` user:
https://salsa.debian.org/dns-team/bind9/-/merge_requests/1
I would suggest using `RuntimeDirectory` to create/cleanup the directory
automagically.
Regards.
\_o<
--
Marc Dequènes
