Simon Deziel
2020-May-27 14:37 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi MJ and Kaulkwappe, As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd unit so that nsd can create the file. When you do so, on first startup, nsd changes UID from root -> nsd and then creates /var/log/nsd.log: root at d10-nsd:~# ls -l /var/log/nsd.log -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log On subsequent starts, nsd checks if it can append to the log while still running as root. I believe this is a bug as this check should happen after the switch from root->nsd. You can workaround it by using the big hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit nsd`: [Service] ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.log This way, systemd will make the file root owned to please nsd that will chown it right after starting. As for the failed unlinking of the pidfile, this is harmless and should not be logged as a warning. It may already be fixed in newer releases as it was done with Unbound already. HTH, Simon *: If you use the CAP_DAC_OVERRIDE way, you don't need to list all the caps as they are additive. This alone would do: [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE On 2020-05-27 9:35 a.m., mj via nsd-users wrote:> Hi Anders! > > That helps for the log file. Thanks! > > However, the pid warning remains: > >> nsd[27759]: warning: failed to unlink pidfile /run/nsd/nsd.pid: >> Permission denied > > Not terrible, but any idea how to solve that one..? > > I also tried commenting out the entire line, as suggested by Kaulkwappe, > (thanks for that, Kaulkwappe!) but also then the pid warning remains. > > Thanks very much for your kind help! > > MJ > > On 5/27/20 2:33 PM, Anders Giversen via nsd-users wrote: >> Hi >> >> Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being: >> CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK >> CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> >> Best regards >> Anders Giversen >> >> On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote: >>> Hi MJ, >>> >>> unfortunately I couldn't fix it. I tried one billion things, but >>> nothing worked. So I needed to go the hard way and commented this out >>> in /etc/systemd/system/multi-user.target.wants/nsd.service: >>> >>> #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE >>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >>> >>> Kind Regards, >>> Kaulkwappe >>> >>> ------------------------- >>> From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]> >>> Sent: Tuesday, 26. May 2020 ? 11:58 CEST +0200 >>> To: nsd-users at lists.nlnetlabs.nl [1] >>> >>> Subject: [nsd-users] NSD still shows permission errors on Debian 10 >>> Buster >>> >>> Hi, >>> >>> Subscribed specially to reply to the subject thread. >>> >>> I am also trying to run nsd on debian buster, and it's not working so >>> nicely. :-) >>> >>>> error: Cannot open /var/log/nsd.log for appending (Read-only file >>> system), logging to stderr >>>> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission >>> denied >>> >>> I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service >>> file, but the error remains: >>> >>>> [Unit] >>>> Description=Name Server Daemon >>>> Documentation=man:nsd(8) >>>> After=network.target >>>> >>>> [Service] >>>> Type=notify >>>> Restart=always >>>> ExecStart=/usr/sbin/nsd -d >>>> ExecReload=+/bin/kill -HUP $MAINPID >>>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE >>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >>>> MemoryDenyWriteExecute=true >>>> NoNewPrivileges=true >>>> PrivateDevices=true >>>> PrivateTmp=true >>>> ProtectHome=true >>>> ProtectControlGroups=true >>>> ProtectKernelModules=true >>>> ProtectKernelTunables=true >>>> ProtectSystem=strict >>>> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd >>>> RuntimeDirectory=nsd >>>> RestrictRealtime=true >>>> SystemCallArchitectures=native >>>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module >>> mount @obsolete @resources >>>> >>>> [Install] >>>> WantedBy=multi-user.target >>> >>> I read in Paul Wouters reply to add nsd User/Group to the service >>> file, >>> but then nsd no longer starts, as the nsd user has no permission to >>> bind >>> to port 53: >>> >>>> error: can't bind udp socket: Permission denied >>> >>> I wanted to migrate from bind to nsd, but it seems the debian package >>> could use some love. :-) >>> >>> Does anyone have a suggestion how to proceed..? (a working systemd >>> file >>> perhaps?) >>> >>> Thanks, >>> MJ >>> _______________________________________________ >>> nsd-users mailing list >>> nsd-users at lists.nlnetlabs.nl >>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >>> >>> >>> >>> Links: >>> ------ >>> [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl >>> _______________________________________________ >>> nsd-users mailing list >>> nsd-users at lists.nlnetlabs.nl >>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
Anand Buddhdev
2020-May-27 15:48 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
On 27/05/2020 16:37, Simon Deziel via nsd-users wrote: Hi Simon,> As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd > unit so that nsd can create the file. > > When you do so, on first startup, nsd changes UID from root -> nsd and > then creates /var/log/nsd.log: > > root at d10-nsd:~# ls -l /var/log/nsd.log > -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log > > On subsequent starts, nsd checks if it can append to the log while still > running as root. I believe this is a bug as this check should happenAre you certain of this? I have never seen any errors on my NSD systems.> after the switch from root->nsd. You can workaround it by using the big > hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit nsd`: > > [Service] > ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.logAll of this seems to be band-aid upon band-aid of unnecessary hacks.> As for the failed unlinking of the pidfile, this is harmless and should > not be logged as a warning. It may already be fixed in newer releases as > it was done with Unbound already.PID files are so pass?! They are irrelevant on systems where daemons are run under supervisors. I would highly recommend setting "pidfile" to "" in nsd.conf. This prevents creation of a PID file. Systemd already knows the PID of the NSD process, and can signal it directly. Regards, Anand