[nsd-users] NSD still shows permission errors on Debian 10 Buster
Simon Deziel
simon at sdeziel.info
Wed May 27 17:21:44 UTC 2020
On 2020-05-27 11:52 a.m., Wouter Wijngaards via nsd-users wrote:
> Hi,
>
> On 27/05/2020 17:48, Anand Buddhdev via nsd-users wrote:
>> On 27/05/2020 16:37, Simon Deziel via nsd-users wrote:
>>
>> Hi Simon,
>>
>>> As you saw, you need to add "ReadWritePaths=/var/log/" to the systemd
>>> unit so that nsd can create the file.
>>>
>>> When you do so, on first startup, nsd changes UID from root -> nsd and
>>> then creates /var/log/nsd.log:
>>>
>>> root at d10-nsd:~# ls -l /var/log/nsd.log
>>> -rw-r--r-- 1 nsd nsd 151 May 27 14:15 /var/log/nsd.log
>>>
>>> On subsequent starts, nsd checks if it can append to the log while still
>>> running as root. I believe this is a bug as this check should happen
>>
>> Are you certain of this? I have never seen any errors on my NSD systems.
>
> I tried to fix the contrib nsd.service by adding Simon's suggestion to
> it, if that is wrong let me know:
> https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486
I think this should be fixed rather than worked around like that. See my
other email, please.
That said, I must admit that I never used that contrib/nsd.service file,
only Debian's. The contrib one seems to be a mangled copy of Debian's
[*] because it has the same typo I fixed in the SystemCallFilter mount
rule (s/mount/@mount/).
Ideally, this contrib file should become the canonical reference used by
downstream distro providers. I would certainly welcome a switch to using
User=nsd as suggested by Paul Wouter but that requires other distros to
buy in.
> Also the unlink error message is fixed in the same manner as Unbound's
> printout; by silencing it to avoid chatter due to permission errors. It
> seems like NSD did manage to empty the file for MJ, but not unlink it.
> https://github.com/NLnetLabs/nsd/commit/bcc9b1107e1bc6a728f95c904db9603105a142ac
So 4.3.2 doesn't have that annoying message, thanks!
Regards,
Simon
*:
https://salsa.debian.org/dns-team/nsd/-/blob/debian/master/debian/nsd.service
More information about the nsd-users
mailing list