[nsd-users] NSD still shows permission errors on Debian 10 Buster

Anand Buddhdev anandb at ripe.net
Wed May 27 15:48:24 UTC 2020


On 27/05/2020 16:37, Simon Deziel via nsd-users wrote:

Hi Simon,

> As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd
> unit so that nsd can create the file.
> 
> When you do so, on first startup, nsd changes UID from root -> nsd and
> then creates /var/log/nsd.log:
> 
> root at d10-nsd:~# ls -l /var/log/nsd.log
> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log
> 
> On subsequent starts, nsd checks if it can append to the log while still
> running as root. I believe this is a bug as this check should happen

Are you certain of this? I have never seen any errors on my NSD systems.

> after the switch from root->nsd. You can workaround it by using the big
> hammer that is CAP_DAC_OVERRIDE [*] or add this with `systemctl edit nsd`:
> 
> [Service]
> ExecStartPre=-/bin/chown --quiet root:root /var/log/nsd.log

All of this seems to be band-aid upon band-aid of unnecessary hacks.

> As for the failed unlinking of the pidfile, this is harmless and should
> not be logged as a warning. It may already be fixed in newer releases as
> it was done with Unbound already.

PID files are so passé! They are irrelevant on systems where daemons are 
run under supervisors. I would highly recommend setting "pidfile" to "" 
in nsd.conf. This prevents creation of a PID file. Systemd already knows 
the PID of the NSD process, and can signal it directly.

Regards,
Anand


More information about the nsd-users mailing list