Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu: cannot write zone example.com file example.com.zone.signed~: Permission denied #386

Open
nicheosala opened this issue Oct 6, 2024 · 3 comments
Open

Ubuntu: cannot write zone example.com file example.com.zone.signed~: Permission denied #386

nicheosala opened this issue Oct 6, 2024 · 3 comments

Comments

@nicheosala
Copy link

I use NSD as a secondary name server on Ubuntu. When NSD is asked to write a zone into the zonefile, for example using sudo nsd-control write example.com, journalctl shows the error in the title of this issue:

cannot write zone example.com file example.com.zone.signed~: Permission denied

This is the content of /etc/systemd/system/nsd.service, that is the default Ubuntu systemd file:

[Unit]
Description=Name Server Daemon
Documentation=man:nsd(8)
After=network.target

[Service]
Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d -P ""
ExecReload=+/bin/kill -HUP $MAINPID
# CAP_NET_ADMIN and CAP_NET_RAW required for IP_TRANSPARENT
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
KillMode=mixed
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nsd /etc/nsd /run
RuntimeDirectory=nsd
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources

[Install]
WantedBy=multi-user.target

This is the content of my /etc/nsd/nsd.conf:

remote-control:
    control-enable: yes

server:
    ip-address: 0.0.0.0
    ip-address: ::0
    
    verbosity: 1
    log-only-syslog: yes
    
    hide-version: yes
    hide-identity: yes
    minimal-responses: yes
    refuse-any: yes

key:
    name: "mykey"
    algorithm: hmac-sha256
    secret: XXX

zone:
    name: "example.com"
    allow-notify: X.X.X.X mykey
    request-xfr: X.X.X.X mykey

I replaced my real zone name with example.com everywhere.
@wcawijngaards
Copy link
Member

The config snippet seems to be missing the 'zonefile' setting. That seems to be important. From the error it would seem that the directory of the zonefile setting is not writable by the server. The ReadWritePaths setting from systemd maybe does not include that directory. Perhaps the directory can be added to the list to writable paths.

@nicheosala
Copy link
Author

The zonefile should be located in /etc/nsd. So, I tried adding: zonefile: /etc/nsd/example.com.zone.signed in the zone section, but the error persists.

@wcawijngaards
Copy link
Member

Perhaps the server runs under another username, like nsd, sometimes compiled by default. And that username does not have read and write permissions on the /etc/nsd directory? Depends on the owner and permissions of the directory. To make the new temporary file, the file with ~ at the end, it needs write permission on the directory itself, not just read and write permission on the old zonefile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wcawijngaards @nicheosala