nsd users - May 2020 - NSD still shows permission errors on Debian 10 Buster

Hi,

On 27/05/2020 17:48, Anand Buddhdev via nsd-users wrote:
> On 27/05/2020 16:37, Simon Deziel via nsd-users wrote:
> 
> Hi Simon,
> 
>> As you saw, you need to add "ReadWritePaths=/var/log/" to the
systemd
>> unit so that nsd can create the file.
>>
>> When you do so, on first startup, nsd changes UID from root -> nsd
and
>> then creates /var/log/nsd.log:
>>
>> root at d10-nsd:~# ls -l /var/log/nsd.log
>> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log
>>
>> On subsequent starts, nsd checks if it can append to the log while
still
>> running as root. I believe this is a bug as this check should happen
> 
> Are you certain of this? I have never seen any errors on my NSD systems.
I tried to fix the contrib nsd.service by adding Simon's suggestion to
it, if that is wrong let me know:
https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486

Also the unlink error message is fixed in the same manner as Unbound's
printout; by silencing it to avoid chatter due to permission errors.  It
seems like NSD did manage to empty the file for MJ, but not unlink it.
https://github.com/NLnetLabs/nsd/commit/bcc9b1107e1bc6a728f95c904db9603105a142ac

Best regards, Wouter
> 
>> after the switch from root->nsd. You can workaround it by using the
big
>> hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit
>> nsd`:
>>
>> [Service]
>> ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.log
> 
> All of this seems to be band-aid upon band-aid of unnecessary hacks.
> 
>> As for the failed unlinking of the pidfile, this is harmless and should
>> not be logged as a warning. It may already be fixed in newer releases
as
>> it was done with Unbound already.
> 
> PID files are so pass?! They are irrelevant on systems where daemons are
> run under supervisors. I would highly recommend setting "pidfile"
to ""
> in nsd.conf. This prevents creation of a PID file. Systemd already knows
> the PID of the NSD process, and can signal it directly.
> 
> Regards,
> Anand
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

On 2020-05-27 11:52 a.m., Wouter Wijngaards via nsd-users
wrote:
> Hi,
> 
> On 27/05/2020 17:48, Anand Buddhdev via nsd-users wrote:
>> On 27/05/2020 16:37, Simon Deziel via nsd-users wrote:
>>
>> Hi Simon,
>>
>>> As you saw, you need to add "ReadWritePaths=/var/log/" to
the systemd
>>> unit so that nsd can create the file.
>>>
>>> When you do so, on first startup, nsd changes UID from root ->
nsd and
>>> then creates /var/log/nsd.log:
>>>
>>> root at d10-nsd:~# ls -l /var/log/nsd.log
>>> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log
>>>
>>> On subsequent starts, nsd checks if it can append to the log while
still
>>> running as root. I believe this is a bug as this check should
happen
>>
>> Are you certain of this? I have never seen any errors on my NSD
systems.
> 
> I tried to fix the contrib nsd.service by adding Simon's suggestion to
> it, if that is wrong let me know:
>
https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486
I think this should be fixed rather than worked around like that. See my
other email, please.

That said, I must admit that I never used that contrib/nsd.service file,
only Debian's. The contrib one seems to be a mangled copy of Debian's
[*] because it has the same typo I fixed in the SystemCallFilter mount
rule (s/mount/@mount/).

Ideally, this contrib file should become the canonical reference used by
downstream distro providers. I would certainly welcome a switch to using
User=nsd as suggested by Paul Wouter but that requires other distros to
buy in.
> Also the unlink error message is fixed in the same manner as Unbound's
> printout; by silencing it to avoid chatter due to permission errors.  It
> seems like NSD did manage to empty the file for MJ, but not unlink it.
>
https://github.com/NLnetLabs/nsd/commit/bcc9b1107e1bc6a728f95c904db9603105a142ac
So 4.3.2 doesn't have that annoying message, thanks!

Regards,
Simon

*:
https://salsa.debian.org/dns-team/nsd/-/blob/debian/master/debian/nsd.service

On 27/05/2020 17:52, Wouter Wijngaards via nsd-users wrote:

Hi Wouter,
> I tried to fix the contrib nsd.service by adding Simon's suggestion to
> it, if that is wrong let me know:
>
https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486
I have a suggestion. Maybe just delete this nsd.service file. To be 
honest, it's not very useful because it has a random mix of directives 
that don't help, or actually interfere with running NSD properly. As an 
example, it has this directive:

RestrictAddressFamilies=AF_INET AF_UNIX

But what about AF_INET6 then? The above will prevent NSD from being able 
to bind to an IPv6 socket.

I don't know where this file came from, but it's not good. If it's
in
there, people will use it. If you really want to provide a systemd unit 
file, then provide a minimal one that will work on most systems. A 
packager for a particular distro can add things to it if he likes. 
Additionally, if a user wants to tighten things up, they can always 
create an overlay for this unit file on their systems. Adding to a 
systemd unit is easier than removing existing directives in the base 
unit file.

Regards,
Anand