Anders Giversen
2020-May-27 12:33 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being: CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT Best regards Anders Giversen On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:> Hi MJ, > > unfortunately I couldn't fix it. I tried one billion things, but > nothing worked. So I needed to go the hard way and commented this out > in /etc/systemd/system/multi-user.target.wants/nsd.service: > > #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > Kind Regards, > Kaulkwappe > > ------------------------- > From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]> > Sent: Tuesday, 26. May 2020 ? 11:58 CEST +0200 > To: nsd-users at lists.nlnetlabs.nl [1] > > Subject: [nsd-users] NSD still shows permission errors on Debian 10 > Buster > > Hi, > > Subscribed specially to reply to the subject thread. > > I am also trying to run nsd on debian buster, and it's not working so > nicely. :-) > >> error: Cannot open /var/log/nsd.log for appending (Read-only file > system), logging to stderr >> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission > denied > > I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service > file, but the error remains: > >> [Unit] >> Description=Name Server Daemon >> Documentation=man:nsd(8) >> After=network.target >> >> [Service] >> Type=notify >> Restart=always >> ExecStart=/usr/sbin/nsd -d >> ExecReload=+/bin/kill -HUP $MAINPID >> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> MemoryDenyWriteExecute=true >> NoNewPrivileges=true >> PrivateDevices=true >> PrivateTmp=true >> ProtectHome=true >> ProtectControlGroups=true >> ProtectKernelModules=true >> ProtectKernelTunables=true >> ProtectSystem=strict >> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd >> RuntimeDirectory=nsd >> RestrictRealtime=true >> SystemCallArchitectures=native >> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module > mount @obsolete @resources >> >> [Install] >> WantedBy=multi-user.target > > I read in Paul Wouters reply to add nsd User/Group to the service > file, > but then nsd no longer starts, as the nsd user has no permission to > bind > to port 53: > >> error: can't bind udp socket: Permission denied > > I wanted to migrate from bind to nsd, but it seems the debian package > could use some love. :-) > > Does anyone have a suggestion how to proceed..? (a working systemd > file > perhaps?) > > Thanks, > MJ > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > > > > Links: > ------ > [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
mj
2020-May-27 13:35 UTC
[nsd-users] NSD still shows permission errors on Debian 10 Buster
Hi Anders! That helps for the log file. Thanks! However, the pid warning remains:> nsd[27759]: warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission deniedNot terrible, but any idea how to solve that one..? I also tried commenting out the entire line, as suggested by Kaulkwappe, (thanks for that, Kaulkwappe!) but also then the pid warning remains. Thanks very much for your kind help! MJ On 5/27/20 2:33 PM, Anders Giversen via nsd-users wrote:> Hi > > Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being: > CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK > CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > > Best regards > Anders Giversen > > On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote: >> Hi MJ, >> >> unfortunately I couldn't fix it. I tried one billion things, but >> nothing worked. So I needed to go the hard way and commented this out >> in /etc/systemd/system/multi-user.target.wants/nsd.service: >> >> #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE >> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> >> Kind Regards, >> Kaulkwappe >> >> ------------------------- >> From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]> >> Sent: Tuesday, 26. May 2020 ? 11:58 CEST +0200 >> To: nsd-users at lists.nlnetlabs.nl [1] >> >> Subject: [nsd-users] NSD still shows permission errors on Debian 10 >> Buster >> >> Hi, >> >> Subscribed specially to reply to the subject thread. >> >> I am also trying to run nsd on debian buster, and it's not working so >> nicely. :-) >> >>> error: Cannot open /var/log/nsd.log for appending (Read-only file >> system), logging to stderr >>> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission >> denied >> >> I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service >> file, but the error remains: >> >>> [Unit] >>> Description=Name Server Daemon >>> Documentation=man:nsd(8) >>> After=network.target >>> >>> [Service] >>> Type=notify >>> Restart=always >>> ExecStart=/usr/sbin/nsd -d >>> ExecReload=+/bin/kill -HUP $MAINPID >>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE >> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >>> MemoryDenyWriteExecute=true >>> NoNewPrivileges=true >>> PrivateDevices=true >>> PrivateTmp=true >>> ProtectHome=true >>> ProtectControlGroups=true >>> ProtectKernelModules=true >>> ProtectKernelTunables=true >>> ProtectSystem=strict >>> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd >>> RuntimeDirectory=nsd >>> RestrictRealtime=true >>> SystemCallArchitectures=native >>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module >> mount @obsolete @resources >>> >>> [Install] >>> WantedBy=multi-user.target >> >> I read in Paul Wouters reply to add nsd User/Group to the service >> file, >> but then nsd no longer starts, as the nsd user has no permission to >> bind >> to port 53: >> >>> error: can't bind udp socket: Permission denied >> >> I wanted to migrate from bind to nsd, but it seems the debian package >> could use some love. :-) >> >> Does anyone have a suggestion how to proceed..? (a working systemd >> file >> perhaps?) >> >> Thanks, >> MJ >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >> >> >> >> Links: >> ------ >> [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users