[nsd-users] NSD still shows permission errors on Debian 10 Buster

Anders Giversen giversen at giver.dk
Wed May 27 12:33:44 UTC 2020


Hi

Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up 
being:
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK 
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT

Best regards
Anders Giversen

On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:
> Hi MJ,
> 
> unfortunately I couldn't fix it. I tried one billion things, but
> nothing worked. So I needed to go the hard way and commented this out
> in /etc/systemd/system/multi-user.target.wants/nsd.service:
> 
> #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> 
> Kind Regards,
> Kaulkwappe
> 
> -------------------------
> From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]>
> Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
> To: nsd-users at lists.nlnetlabs.nl [1]
> 
> Subject: [nsd-users] NSD still shows permission errors on Debian 10
> Buster
> 
> Hi,
> 
> Subscribed specially to reply to the subject thread.
> 
> I am also trying to run nsd on debian buster, and it's not working so
> nicely. :-)
> 
>> error: Cannot open /var/log/nsd.log for appending (Read-only file
> system), logging to stderr
>> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
> denied
> 
> I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service
> file, but the error remains:
> 
>> [Unit]
>> Description=Name Server Daemon
>> Documentation=man:nsd(8)
>> After=network.target
>> 
>> [Service]
>> Type=notify
>> Restart=always
>> ExecStart=/usr/sbin/nsd -d
>> ExecReload=+/bin/kill -HUP $MAINPID
>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>> MemoryDenyWriteExecute=true
>> NoNewPrivileges=true
>> PrivateDevices=true
>> PrivateTmp=true
>> ProtectHome=true
>> ProtectControlGroups=true
>> ProtectKernelModules=true
>> ProtectKernelTunables=true
>> ProtectSystem=strict
>> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
>> RuntimeDirectory=nsd
>> RestrictRealtime=true
>> SystemCallArchitectures=native
>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
> mount @obsolete @resources
>> 
>> [Install]
>> WantedBy=multi-user.target
> 
> I read in Paul Wouters reply to add nsd User/Group to the service
> file,
> but then nsd no longer starts, as the nsd user has no permission to
> bind
> to port 53:
> 
>> error: can't bind udp socket: Permission denied
> 
> I wanted to migrate from bind to nsd, but it seems the debian package
> could use some love. :-)
> 
> Does anyone have a suggestion how to proceed..? (a working systemd
> file
> perhaps?)
> 
> Thanks,
> MJ
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> Links:
> ------
> [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users


More information about the nsd-users mailing list