bind.log permission denied

Noury Fri, 22 Dec 2017 08:09:36 -0800

Package: bind9
Version: 1:9.11.2+dfsg-5
Severity: critical
Justification: breaks unrelated software


Dear Maintainer,

When starting bind9, I have error messages and bind doesn't start
Other packages are unusable because they need it (ex exim4 as it's my MTA)

Extract from /var/log/syslog:

=========== begin =================
Dec 22 16:28:39 colibri named[26358]: none:105: 'max-cache-size 90%' - setting 
to 1760MB (out of 1955MB)
Dec 22 16:28:39 colibri named[26358]: configuring command channel from 
'/etc/bind/rndc.key'
Dec 22 16:28:39 colibri named[26358]: command channel listening on 127.0.0.1#953
Dec 22 16:28:39 colibri named[26358]: configuring command channel from 
'/etc/bind/rndc.key'
Dec 22 16:28:39 colibri named[26358]: command channel listening on ::1#953
Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' 
failed: permission denied
Dec 22 16:28:39 colibri named[26358]: isc_stdio_open '/var/log/bind.log' 
failed: permission denied
Dec 22 16:28:39 colibri named[26358]: configuring logging: permission denied
Dec 22 16:28:39 colibri named[26358]: loading configuration: permission denied
Dec 22 16:28:39 colibri named[26358]: exiting (due to fatal error)
Dec 22 16:28:39 colibri kernel: [288377.634631] audit: type=1400 
audit(1513956519.915:16): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/named" name="/var/log/bind.log" pid=26358 
comm="isc-worker0000" requested_mask="c" denied_mask="c" fsuid=110 ouid=110
Dec 22 16:28:39 colibri systemd[1]: bind9.service: Main process exited, 
code=exited, status=1/FAILURE
Dec 22 16:28:39 colibri systemd[1]: bind9.service: Failed with result 
'exit-code'.

=========== end =================

Some other informations:

ls -l /var/log/bind.log:
-rw-rw-r-- 1 root bind 10485840 Jul 28  2016 /var/log/bind.log

grep bind /etc/passwd
bind:x:110:116::/var/cache/bind:/bin/false

grep bind /etc/group
bind:x:116:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.116
ii  bind9utils             1:9.11.2+dfsg-5
ii  debconf [debconf-2.0]  1.5.65
ii  libbind9-160           1:9.11.2+dfsg-5
ii  libc6                  2.25-3
ii  libcap2                1:2.25-1.2
ii  libcomerr2             1.43.7-1
ii  libdns169              1:9.11.2+dfsg-5
ii  libgeoip1              1.6.11-3
ii  libgssapi-krb5-2       1.15.2-2
ii  libirs160              1:9.11.2+dfsg-5
ii  libisc166              1:9.11.2+dfsg-5
ii  libisccc160            1:9.11.2+dfsg-5
ii  libisccfg160           1:9.11.2+dfsg-5
ii  libjson-c3             0.12.1-1.2
ii  libk5crypto3           1.15.2-2
ii  libkrb5-3              1.15.2-2
ii  liblwres160            1:9.11.2+dfsg-5
ii  libssl1.1              1.1.0g-2
ii  libxml2                2.9.4+dfsg1-5.2
ii  lsb-base               9.20170808
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.11.2+dfsg-5
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "dagami.org"{
        type master;
        file "zone/dagami.org";
        notify yes;
        also-notify{
                173.244.206.26;     # a.transfer.buddyns.com
                217.70.177.40; # ns6.gandi.net
                88.198.106.11; # c.ns.buddyns.com
                103.6.87.125; # c.ns.buddyns.com
        };
        allow-transfer {
                173.244.206.26;     # a.transfer.buddyns.com
                88.198.106.11; # c.ns.buddyns.com
                108.61.224.67; # buddydns
                103.6.87.125; # buddydns
                185.136.176.247; # buddydns
                217.70.177.40; # ns6.gandi.net
                103.6.87.125; # c.ns.buddyns.com
        };
        allow-update {
                127.0.0.1;
                51.255.40.59;
        };
journal "/var/cache/bind/zone/dagami.org.jnl";
};
zone "dagami.tk"{
        type master;
        file "zone/dagami.tk";
        notify yes;
        also-notify{
                173.244.206.26;     # a.transfer.buddyns.com
                88.198.106.11; # c.ns.buddyns.com
        };
        allow-transfer {
                173.244.206.26;     # a.transfer.buddyns.com
                88.198.106.11; # c.ns.buddyns.com
        };
};
zone "1.168.192.IN-ADDR.ARPA"{
        type master;
        file "zone/192.168.1";
        notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.3.1.0.a.0.0.0.b.c.1.0.a.2.ip6.arpa"{
        type master;
        file "zone/reverse_ipv6";
        notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.9.4.0.1.0.1.0.0.c.2.5.4.0.a.2.ip6.arpa"{
        type master;
        file "zone/reverse_ipv6_liteserver";
        notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.2.0.3.0.0.d.1.4.1.0.0.2.ip6.arpa"{
        type master;
        file "zone/reverse_ipv6_colibri";
        notify no;
};


-- debconf information:
  bind9/run-resolvconf: false
  bind9/start-as-user: bind
  bind9/different-configuration-file:

Bug#884995: bind9 doesn't start after upgrade. Complains /var/log/bind.log permission denied

Reply via email to