Bug#985926: bind9: cannot create /run/named

Fri, 26 Mar 2021 01:39:13 -0700 

Hi Marc,

is there anything wrong with your systemd-tmpfiles?

$ cat /usr/lib/tmpfiles.d/named.conf
d /run/named 0775 root bind - -

Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org

> On 26. 3. 2021, at 9:19, Marc Dequènes (duck) <d...@duckcorp.org> wrote:
> 
> Package: bind9
> Version: 1:9.16.11-2~bpo10+1
> 
> Quack,
> 
> I got these errors at startup:
> Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named': Permission 
> denied
> Mar 26 08:51:46 Orfeo named[14057]: generating session key for dynamic DNS
> Mar 26 08:51:46 Orfeo named[14057]: couldn't mkdir '/run/named': Permission 
> denied
> Mar 26 08:51:46 Orfeo named[14057]: could not create /run/named/session.key
> Mar 26 08:51:46 Orfeo named[14057]: failed to generate session key for 
> dynamic DNS: permission denied
> 
> and apparmor is unhappy:
> type=AVC msg=audit(1616745106.778:13945868): apparmor="DENIED" 
> operation="mkdir" profile="named" name="/run/named/" pid=14057 
> comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102 ouid=102
> type=AVC msg=audit(1616745106.778:13945869): apparmor="DENIED" 
> operation="mkdir" profile="named" name="/run/named/" pid=14057 
> comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=102 ouid=102
> 
> Creating the directory _after_ changing user is clearly a problem that should 
> be fixed in Bind, so changing the apparmor profile would not help.
> 
> I added this in the service file:
> ExecStartPre=/bin/mkdir -p /run/named
> ExecStartPre=/bin/chown bind: /run/named
> 
> and it works now:
> # ls -la /run/named/
> total 8
> drwxr-xr-x  2 bind bind   80 Mar 26 09:06 .
> drwxr-xr-x 40 root root 1300 Mar 26 09:06 ..
> -rw-r--r--  1 bind bind    6 Mar 26 09:06 named.pid
> -rw-------  1 bind bind  102 Mar 26 09:06 session.key
> 
> but of course the directory is not cleaned when the service stops.
> 
> I think the best would be to reconsider this PR at least partially and run 
> the service directly as `bind` user:
>  https://salsa.debian.org/dns-team/bind9/-/merge_requests/1
> 
> I would suggest using `RuntimeDirectory` to create/cleanup the directory 
> automagically.
> 
> Regards.
> \_o<
> 
> --
> Marc Dequènes
>

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to