Kaulkwappe
2020-May-27 10:22 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20200527/1b363f81/attachment.htm>
Anders Giversen
2020-May-27 12:33 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being: CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT Best regards Anders Giversen On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:> Hi MJ, > > unfortunately I couldn't fix it. I tried one billion things, but > nothing worked. So I needed to go the hard way and commented this out > in /etc/systemd/system/multi-user.target.wants/nsd.service: > > #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > Kind Regards, > Kaulkwappe > > ------------------------- > From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]> > Sent: Tuesday, 26. May 2020 ? 11:58 CEST +0200 > To: nsd-users at lists.nlnetlabs.nl [1] > > Subject: [nsd-users] NSD still shows permission errors on Debian 10 > Buster > > Hi, > > Subscribed specially to reply to the subject thread. > > I am also trying to run nsd on debian buster, and it's not working so > nicely. :-) > >> error: Cannot open /var/log/nsd.log for appending (Read-only file > system), logging to stderr >> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission > denied > > I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service > file, but the error remains: > >> [Unit] >> Description=Name Server Daemon >> Documentation=man:nsd(8) >> After=network.target >> >> [Service] >> Type=notify >> Restart=always >> ExecStart=/usr/sbin/nsd -d >> ExecReload=+/bin/kill -HUP $MAINPID >> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> MemoryDenyWriteExecute=true >> NoNewPrivileges=true >> PrivateDevices=true >> PrivateTmp=true >> ProtectHome=true >> ProtectControlGroups=true >> ProtectKernelModules=true >> ProtectKernelTunables=true >> ProtectSystem=strict >> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd >> RuntimeDirectory=nsd >> RestrictRealtime=true >> SystemCallArchitectures=native >> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module > mount @obsolete @resources >> >> [Install] >> WantedBy=multi-user.target > > I read in Paul Wouters reply to add nsd User/Group to the service > file, > but then nsd no longer starts, as the nsd user has no permission to > bind > to port 53: > >> error: can't bind udp socket: Permission denied > > I wanted to migrate from bind to nsd, but it seems the debian package > could use some love. :-) > > Does anyone have a suggestion how to proceed..? (a working systemd > file > perhaps?) > > Thanks, > MJ > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > > > > Links: > ------ > [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users