[nsd-users] NSD still shows permission errors on Debian 10 Buster
simon at sdeziel.info
Wed May 27 17:21:44 UTC 2020
On 2020-05-27 11:52 a.m., Wouter Wijngaards via nsd-users wrote:
> On 27/05/2020 17:48, Anand Buddhdev via nsd-users wrote:
>> On 27/05/2020 16:37, Simon Deziel via nsd-users wrote:
>> Hi Simon,
>>> As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd
>>> unit so that nsd can create the file.
>>> When you do so, on first startup, nsd changes UID from root -> nsd and
>>> then creates /var/log/nsd.log:
>>> root at d10-nsd:~# ls -l /var/log/nsd.log
>>> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log
>>> On subsequent starts, nsd checks if it can append to the log while still
>>> running as root. I believe this is a bug as this check should happen
>> Are you certain of this? I have never seen any errors on my NSD systems.
> I tried to fix the contrib nsd.service by adding Simon's suggestion to
> it, if that is wrong let me know:
I think this should be fixed rather than worked around like that. See my
other email, please.
That said, I must admit that I never used that contrib/nsd.service file,
only Debian's. The contrib one seems to be a mangled copy of Debian's
[*] because it has the same typo I fixed in the SystemCallFilter mount
Ideally, this contrib file should become the canonical reference used by
downstream distro providers. I would certainly welcome a switch to using
User=nsd as suggested by Paul Wouter but that requires other distros to
> Also the unlink error message is fixed in the same manner as Unbound's
> printout; by silencing it to avoid chatter due to permission errors. It
> seems like NSD did manage to empty the file for MJ, but not unlink it.
So 4.3.2 doesn't have that annoying message, thanks!
More information about the nsd-users