Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 25th March 2008, 21:53
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 13 Times in 7 Posts
Exclamation Ubuntu Hardy chrooted bind9 fails to start > FIXED

Preparing to move my server to LTS Ubuntu Hardy, just testing using vmware
I've found a weird issue while chrooting bind. ( following The Perfect Server Setup )
So I guess this will popup sooner or later anyway...

What I did so far -all as root-:

Code:
apt-get install bind9
/etc/init.d/bind9 stop
changed 1st line of /etc/default/bind9
Code:
vim /etc/default/bind9
> changed first line to > OPTIONS="-u bind -t /var/lib/named"
creating some directories & a link to move /etc/bind to /var/lib/named/etc/bind
creating null & random devices
fixing permissions
Code:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
fixed /etc/default/syslogd
Code:
vim /etc/default/syslogd
> SYSLOGD="-a /var/lib/named/dev/log"
This has always worked in the past.. but doesn't on Hardy 8.04

if I try to start > /etc/bind9 start it simply fails
stopping it >
Code:
 rndc: connect failed: 127.0.0.1#953: connection refused
vim /var/log/syslog reveals

Code:
Mar 25 08:06:57 hardy-server named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
Mar 25 08:06:57 hardy-server named[11824]: found 1 CPU, using 1 worker thread
Mar 25 08:06:57 hardy-server named[11824]: loading configuration from '/etc/bind/named.conf'
Mar 25 08:06:57 hardy-server named[11824]: none:0: open: /etc/bind/named.conf: permission denied
Mar 25 08:06:57 hardy-server named[11824]: loading configuration: permission denied
Mar 25 08:06:57 hardy-server named[11824]: exiting (due to fatal error)
Mar 25 08:06:57 hardy-server kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"
anybody any idea ?, I've checked permissions, locations.... and with feisty / gutsy this just worked...

thx..
__________________
Windows, the only virus you pay for

Last edited by Djamu; 2nd April 2008 at 23:18.
Reply With Quote
Sponsored Links
  #2  
Old 26th March 2008, 09:02
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

As you can see from the error messages this is a permissions issue the config file can not be read by named.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 26th March 2008, 09:04
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Come to think of it looking at the last line it could be apparmor that is blocking access to the file.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Djamu (2nd April 2008)
  #4  
Old 2nd April 2008, 16:38
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 13 Times in 7 Posts
Default


Woohoo cool that was it, after purging this package it worked, obviously this is not the way to do this, but now I know for certain... apparmor is something new on ubuntu, wasn't aware of it... I'll take a look in the Suse community for a decent manual

thank you,
__________________
Windows, the only virus you pay for
Reply With Quote
  #5  
Old 2nd April 2008, 23:13
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 13 Times in 7 Posts
Exclamation Fixed

here's the fix, don't know if it makes much sense to chroot and use apparmor at the same time.. guess there's no harm either...

follow above described procedure & end with

Code:
vim /etc/apparmor.d/usr.sbin.named
and change marked lines

Code:
# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/cache/bind/* rw,
  /var/lib/named/var/run/bind/run/named.pid w,
  # /var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  # /var/run/bind/named.options r,

# add also following lines thanks to Spezi2u 
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,


}
don't forget to (re)start services

Code:
/etc/init.d/sysklogd restart
/etc/init.d/apparmor start
/etc/init.d/bind9 start
__________________
Windows, the only virus you pay for

Last edited by Djamu; 29th April 2008 at 12:54.
Reply With Quote
The Following 2 Users Say Thank You to Djamu For This Useful Post:
astra2000 (19th September 2009), phicloray (8th June 2009)
  #6  
Old 3rd April 2008, 08:39
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
AbannyvabVask (22nd December 2013)
  #7  
Old 3rd April 2008, 17:14
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 13 Times in 7 Posts
Default

Quote:
Originally Posted by topdog
I wonder why they would ship a policy that does not work. Am not sure if it will work in the chroot, as most MAC systems use the real file path test if you can and let us know.
Well the policy did work until I moved & chrooted it... so IMHO that makes sense .. because that's part of what apparmor is supposed to do ( my rudimentary understanding of creating a hat )
I used a symbolic link for all libraries that have path's hard coded ( if I understand you correct ), Bind seems to behave properly so until now all is well.

I still don't know if there's a point in using chrooting & apparmor at the same time, as it might as well weaken security instead of additional hardening...

If someone knows of a deprecated package with known weaknesses I might be able to test those in this kind of environment ( why aren't there 48h days ).

But before that I have to solve another issue with compiling the ISPconfig package, as it's complaining about wrong syntaxes in an empty httpd.conf ...
__________________
Windows, the only virus you pay for
Reply With Quote
The Following User Says Thank You to Djamu For This Useful Post:
AbannyvabVask (16th December 2013)
  #8  
Old 29th April 2008, 12:42
Spezi2u Spezi2u is offline
Junior Member
 
Join Date: Apr 2008
Location: Frankfurt/M.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Post Still some problems

Thanks for the help on apparmor. I have noticed that bind will still not access the random device and apparmor seems to go out of the chroot jail and take the old one so I have just added two lines at the end to

/etc/apparmor.d/usr.bin.named

Code:
[...]
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,
[...]
that seemed to do the trick. Bind starts perfectly now.
Reply With Quote
  #9  
Old 29th April 2008, 12:51
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 13 Times in 7 Posts
Thumbs up

K thx, didn't notice yet ( stopped working on it ), pretty busy debugging a bogus driver..
I'll add it to the howto...
__________________
Windows, the only virus you pay for
Reply With Quote
  #10  
Old 2nd May 2008, 17:13
omni omni is offline
Member
 
Join Date: Jan 2007
Posts: 62
Thanks: 4
Thanked 1 Time in 1 Post
 
Default

I just ran into this problem as well after upgrading to 8.04LTS also and this fixed it perfectly!

Thanks for the info guys!
Reply With Quote
The Following User Says Thank You to omni For This Useful Post:
AbannyvabVask (12th December 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Too many open files in system" problems Berry Installation/Configuration 3 10th November 2007 21:58
Problem on restart bind9 satimis Server Operation 6 30th October 2007 02:01
BIND fails to start valtech Installation/Configuration 1 16th September 2007 19:55
Installation fails on Ubuntu 6.06 Jcorrea920 Installation/Configuration 2 23rd April 2007 20:14
Log for Debugging jwan Installation/Configuration 5 27th October 2006 14:34


All times are GMT +2. The time now is 13:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.