[nsd-users] NSD still shows permission errors on Debian 10 Buster
mj
lists at merit.unu.edu
Tue May 26 09:58:40 UTC 2020
Hi,
Subscribed specially to reply to the subject thread.
I am also trying to run nsd on debian buster, and it's not working so
nicely. :-)
> error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr
> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service
file, but the error remains:
> [Unit]
> Description=Name Server Daemon
> Documentation=man:nsd(8)
> After=network.target
>
> [Service]
> Type=notify
> Restart=always
> ExecStart=/usr/sbin/nsd -d
> ExecReload=+/bin/kill -HUP $MAINPID
> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> MemoryDenyWriteExecute=true
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectSystem=strict
> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
> RuntimeDirectory=nsd
> RestrictRealtime=true
> SystemCallArchitectures=native
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
>
> [Install]
> WantedBy=multi-user.target
I read in Paul Wouters reply to add nsd User/Group to the service file,
but then nsd no longer starts, as the nsd user has no permission to bind
to port 53:
> error: can't bind udp socket: Permission denied
I wanted to migrate from bind to nsd, but it seems the debian package
could use some love. :-)
Does anyone have a suggestion how to proceed..? (a working systemd file
perhaps?)
Thanks,
MJ
More information about the nsd-users
mailing list