#1  
Old 8th March 2006, 18:51
spaz spaz is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
Exclamation Bind-Chroot-Howto (Debian)

Running Debian Sarge, 2.6.11 k7, on a server that also serves apache virtual sites. Server has an internal ip address, 192.168.x.x, is behind a router that forwards ports 80, 22, plus additional ports for bind, smtp (not setup yet) and one or two other ports I can't recall right now to the server.

Followed your how-to, bind-chroot-debian,
# /etc/init.d/bind9 start, get the following in log:

named[25046]: starting BIND 9.2.4 -u bind -t /var/lib/named
named[25046]: using 1 CPU
named[25046]: loading configuration from '/etc/bind/named.conf'
named[25046]: none:0: open: /etc/bind/named.conf: permission denied
named[25046]: loading configuration: permission denied
named[25046]: exiting (due to fatal error)

time and server name from log lines above removed to make more readable.

I think I have a permission problem in one of the directories created during one of the steps. After it failed the first time and I couldn't figure out what was wrong, I removed (purged) bind9 and started over a couple of times. But the directories that are created during one of the steps in the how-to remained, so the directory/permission problem may remain as well, if that is the problem.

Note that I had a restrictive umask setting for root as I am very paranoid about security. After I ran into problems, I changed it back to what was recommended to me on a debian list or what I found on another debian install, can't remember which.

Thinking back, I may have bind running as the wrong user, the config file may have the wrong user or group set, and I did try to make the config file readable to all to see if that fixed the problem. Nothing worked.

In /etc, the bind directory has root and bind as user/group, with rwxr-sr-x as permissions, the named.conf file is bind/bind with 664, rndc.key is 640 and all the other files in /etc/bind are user/group bind/bind and either 664 or 644

Thanks in advance for any help.
Reply With Quote
The Following User Says Thank You to spaz For This Useful Post:
AbannyvabVask (13th November 2013)
Sponsored Links
  #2  
Old 8th March 2006, 20:30
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,730 Times in 2,568 Posts
Default

Please post the output of
Code:
ls -la /etc/bind
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 9th March 2006, 00:53
spaz spaz is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
Default

# ls -la /etc/bind
total 53
drwxr-sr-x 2 root bind 376 2005-08-06 10:22 .
drwxr-xr-x 129 root root 8792 2006-03-08 03:45 ..
lrwxrwxrwx 1 bind bind 23 2005-08-06 10:22 bind -> /var/lib/named/etc/bind

-rw-r--r-- 1 bind bind 237 2004-09-23 11:25 db.0
-rw-r--r-- 1 bind bind 271 2004-09-23 11:25 db.127
-rw-r--r-- 1 bind bind 237 2004-09-23 11:25 db.255
-rw-r--r-- 1 bind bind 353 2004-09-23 11:25 db.empty
-rw-r--r-- 1 bind bind 256 2004-09-23 11:25 db.local
-rw-r--r-- 1 bind bind 1507 2004-09-23 11:25 db.root
-rw-rw-r-- 1 bind bind 1611 2004-09-23 11:25 named.conf
-rw-rw-r-- 1 bind bind 165 2004-09-23 11:25 named.conf.local
-rw-rw-r-- 1 bind bind 672 2004-09-23 11:25 named.conf.options
-rw-r----- 1 bind bind 77 2005-08-06 10:16 rndc.key
-rw-r--r-- 1 bind bind 1317 2004-09-23 11:25 zones.rfc1918

root@22[bind]# ls -la /var/lib/named/etc/bind
total 44
drwxrwxr-x 2 bind bind 352 2004-10-21 00:06 .
drwx------ 3 root root 72 2005-02-08 12:30 ..
-rw-r--r-- 1 bind bind 237 2004-06-18 03:38 db.0
-rw-r--r-- 1 bind bind 271 2004-06-18 03:38 db.127
-rw-r--r-- 1 bind bind 237 2004-06-18 03:38 db.255
-rw-r--r-- 1 bind bind 353 2004-06-18 03:38 db.empty
-rw-r--r-- 1 bind bind 256 2004-06-18 03:38 db.local
-rw-r--r-- 1 bind bind 1507 2004-06-18 03:38 db.root
-rw-rw---- 1 bind bind 1611 2004-09-23 11:25 named.conf
-rw-rw---- 1 bind bind 165 2004-06-18 03:38 named.conf.local
-rw-rw---- 1 bind bind 672 2004-06-18 03:38 named.conf.options
-rw-r----- 1 bind bind 77 2004-08-21 05:59 rndc.key
-rw-r--r-- 1 bind bind 1317 2004-06-18 03:38 zones.rfc1918

taking a look at the permissions in /var/lib/named/etc/bind, (link from /etc/bind) I tried:

chmod 664 /var/lib/named/etc/bind/named.conf*

and received the same error messages when trying to start bind, so I changed it back to where it was:

chmod 660 /var/lib/named/etc/bind/named.conf* and the output above is the current condition with nothing changed.
Reply With Quote
  #4  
Old 9th March 2006, 10:14
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,730 Times in 2,568 Posts
Default

Do I uderstand you right that you have a symlink /etc/bind/bind -> /var/lib/named/etc/bind instead of /etc/bind -> /var/lib/named/etc/bind?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 9th March 2006, 12:11
spaz spaz is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by falko
Do I uderstand you right that you have a symlink /etc/bind/bind
Ok, fixed that newbie mistake! now linking /etc/bind ->
Should it be a soft link? I used "ln" without the -s flag.

After fixing some more permissions on directories (some were 700, changing to 775 and changing group root to bind in relevant subdirectories under /var), I get the following in the logs at startup attempt:

05:53:26 serv named[925]: starting BIND 9.2.4 -u bind -t /var/lib/named
05:53:26 serv named[925]: using 1 CPU
05:53:26 serv named[925]: loading configuration from '/etc/bind/named.conf'
05:53:26 serv named[925]: listening on IPv4 interface lo, 127.0.0.1#53
05:53:26 serv named[925]: listening on IPv4 interface eth0, 192.168.1.4#53
05:53:26 serv named[925]: command channel listening on 127.0.0.1#953
05:53:26 serv named[925]: command channel listening on ::1#953
05:53:26 serv named[925]: couldn't open pid file '/var/run/bind/run/named.pid': No such file or directory

05:53:26 serv named[925]: exiting (due to early fatal error)


Note that /var/run/bind/run/ is empty. Should I "touch" named.pid in /var/run/bind/run/ and if so, what permissions and user/group? Or will this file be created on its own when bind runs? I tried both ways, with directory empty and touching file with 664 root/bind named.pid file, and the error message in logs was same as above.

Just in case it matters, I only have port 53 forwarded from router, and port 53 open on firewall, do not have port 953 open on firewall or forwarded from router.

Thanks so far, a bit of progress.
Reply With Quote
  #6  
Old 9th March 2006, 14:50
spaz spaz is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
 
Talking

After googling the error message in the syslog, I found this:

http://www.howtoforge.com/howto_bind...an#comment-275

then followed this in the above post:

I created a file /var/lib/named/var/run/bind/run started the server again and all was fine.

and the syslog indicates bind is running:

08:10:24 serv named[6395]: starting BIND 9.2.4 -u bind -t /var/lib/named
08:10:24 serv named[6395]: using 1 CPU
08:10:24 serv named[6395]: loading configuration from '/etc/bind/named.conf'
08:10:24 serv named[6395]: listening on IPv4 interface lo, 127.0.0.1#53
08:10:24 serv named[6395]: listening on IPv4 interface eth0, 192.168.1.4#53
08:10:24 serv named[6395]: command channel listening on 127.0.0.1#953
08:10:24 serv named[6395]: command channel listening on ::1#953
08:10:24 serv named[6395]: zone 0.in-addr.arpa/IN: loaded serial 1
08:10:24 serv named[6395]: zone 127.in-addr.arpa/IN: loaded serial 1
08:10:24 serv named[6395]: zone 255.in-addr.arpa/IN: loaded serial 1
08:10:24 serv named[6395]: zone localhost/IN: loaded serial 1
08:10:24 serv named[6395]: running

A few questions:

1. directory ownership: should I follow a subsequent post and do this:
chown -R bind:bind /var/lib/named/var/run/bind/run

since I created some of the directories manually, and some are currently owner root, group bind? Should I change the entire path to owner bind, group bind? Or leave as is?

Second question, What next? Which file(s) am I looking at for my web sites which are currently using xname.org as primary and secondary name servers? Should I pull the zone info from xname.org, then make my dns server primary and xname.org secondary (until I can get access to another subnet and secondary dns server on my own), or should I manually create the zone info for the dozen domains I have and risk breaking them, instead of pulling data from what already works?

3rd question: My dns server is on a local /29 subnet of public ip addresses. Our internal lan is on the same /29. Can I restrict the dns server to use by only the /29 subnet and for authoritative use for the handful of domains? Or will everyone have access to the nameserver because port 53 is open?

Can the restriction be directly in the bind configuration, or can this only be done by the firewall, if at all?

4th question, relevant to everybody following guide:
Doesn't the link in /etc/bind to a different directory or partition (/var) keep the actual configuration file out of /etc, which creates a problem when bind is upgraded due to security reasons in Debian Sarge? Wouldn't the configuration file and any changes made to it be overwritten if/when there is an update because the configuration file is outside of /etc? I'm figuring this is necessary for the chroot, but shouldn't an extra step such as pinning be taken to help prevent inadvertent overwriting of the config files?

A big thanks for all the help!
Reply With Quote
The Following User Says Thank You to spaz For This Useful Post:
AbannyvabVask (29th October 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind chroot configuration Toffee Installation/Configuration 6 13th March 2009 15:51
mono on debian howto ColdDoT Suggest HOWTO 0 3rd February 2006 17:33
Debian sarge howto adsl configuration FullEraser HOWTO-Related Questions 4 21st December 2005 22:44
HowTo convert a diff to a debian kernel-patch? BjoKa HOWTO-Related Questions 0 18th December 2005 21:23
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 11:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.