[nsd-users] NSD still shows permission errors on Debian 10 Buster

Simon Deziel simon at sdeziel.info
Wed May 27 14:37:39 UTC 2020 

Hi MJ and Kaulkwappe,

As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd
unit so that nsd can create the file.

When you do so, on first startup, nsd changes UID from root -> nsd and
then creates /var/log/nsd.log:

root at d10-nsd:~# ls -l /var/log/nsd.log
-rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log

On subsequent starts, nsd checks if it can append to the log while still
running as root. I believe this is a bug as this check should happen
after the switch from root->nsd. You can workaround it by using the big
hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit nsd`:

[Service]
ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.log

This way, systemd will make the file root owned to please nsd that will
chown it right after starting.


As for the failed unlinking of the pidfile, this is harmless and should
not be logged as a warning. It may already be fixed in newer releases as
it was done with Unbound already.

HTH,
Simon


*: If you use the CAP_DAC_OVERRIDE way, you don't need to list all the
caps as they are additive. This alone would do:

[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE


On 2020-05-27 9:35 a.m., mj via nsd-users wrote:
> Hi Anders!
> 
> That helps for the log file. Thanks!
> 
> However, the pid warning remains:
> 
>> nsd[27759]: warning: failed to unlink pidfile /run/nsd/nsd.pid:
>> Permission denied
> 
> Not terrible, but any idea how to solve that one..?
> 
> I also tried commenting out the entire line, as suggested by Kaulkwappe,
> (thanks for that, Kaulkwappe!) but also then the pid warning remains.
> 
> Thanks very much for your kind help!
> 
> MJ
> 
> On 5/27/20 2:33 PM, Anders Giversen via nsd-users wrote:
>> Hi
>>
>> Try to add CAP_DAC_OVERRIDE to CapabilityBoundingSet so it ends up being:
>> CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK
>> CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>>
>> Best regards
>> Anders Giversen
>>
>> On 27-05-2020 08:22, Kaulkwappe via nsd-users wrote:
>>> Hi MJ,
>>>
>>> unfortunately I couldn't fix it. I tried one billion things, but
>>> nothing worked. So I needed to go the hard way and commented this out
>>> in /etc/systemd/system/multi-user.target.wants/nsd.service:
>>>
>>> #CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
>>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>>>
>>> Kind Regards,
>>> Kaulkwappe
>>>
>>> -------------------------
>>> From: mj via nsd-users <nsd-users at lists.nlnetlabs.nl [1]>
>>> Sent: Tuesday, 26. May 2020 – 11:58 CEST +0200
>>> To: nsd-users at lists.nlnetlabs.nl [1]
>>>
>>> Subject: [nsd-users] NSD still shows permission errors on Debian 10
>>> Buster
>>>
>>> Hi,
>>>
>>> Subscribed specially to reply to the subject thread.
>>>
>>> I am also trying to run nsd on debian buster, and it's not working so
>>> nicely. :-)
>>>
>>>> error: Cannot open /var/log/nsd.log for appending (Read-only file
>>> system), logging to stderr
>>>> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission
>>> denied
>>>
>>> I added "/var/log" and "/run/nsd" ReadWritePaths to the nsd.service
>>> file, but the error remains:
>>>
>>>> [Unit]
>>>> Description=Name Server Daemon
>>>> Documentation=man:nsd(8)
>>>> After=network.target
>>>>
>>>> [Service]
>>>> Type=notify
>>>> Restart=always
>>>> ExecStart=/usr/sbin/nsd -d
>>>> ExecReload=+/bin/kill -HUP $MAINPID
>>>> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
>>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>>>> MemoryDenyWriteExecute=true
>>>> NoNewPrivileges=true
>>>> PrivateDevices=true
>>>> PrivateTmp=true
>>>> ProtectHome=true
>>>> ProtectControlGroups=true
>>>> ProtectKernelModules=true
>>>> ProtectKernelTunables=true
>>>> ProtectSystem=strict
>>>> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
>>>> RuntimeDirectory=nsd
>>>> RestrictRealtime=true
>>>> SystemCallArchitectures=native
>>>> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module
>>> mount @obsolete @resources
>>>>
>>>> [Install]
>>>> WantedBy=multi-user.target
>>>
>>> I read in Paul Wouters reply to add nsd User/Group to the service
>>> file,
>>> but then nsd no longer starts, as the nsd user has no permission to
>>> bind
>>> to port 53:
>>>
>>>> error: can't bind udp socket: Permission denied
>>>
>>> I wanted to migrate from bind to nsd, but it seems the debian package
>>> could use some love. :-)
>>>
>>> Does anyone have a suggestion how to proceed..? (a working systemd
>>> file
>>> perhaps?)
>>>
>>> Thanks,
>>> MJ
>>> _______________________________________________
>>> nsd-users mailing list
>>> nsd-users at lists.nlnetlabs.nl
>>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>>>
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://mail.giver.dk/email/new/1/nsd-users%40lists.nlnetlabs.nl
>>> _______________________________________________
>>> nsd-users mailing list
>>> nsd-users at lists.nlnetlabs.nl
>>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>> _______________________________________________
>> nsd-users mailing list
>> nsd-users at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list