LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-30-2005, 11:15 PM   #1
KasperLotus
LQ Newbie
 
Registered: Aug 2005
Distribution: Fedora Core 6
Posts: 21

Rep: Reputation: 15
BIND 9 Permission denied when chmod is 777 o_O


Hi,
I've been fiddling with this for 2 days now and I still can't get it to work. I have all the directories up to my pid file chmoded to 755 (and I've tried it with all of them 777) and they are all owned by named and I know BIND is running as named but it still says "cannot open file ".../named.pid" : Permission denied".

Now here's the really weird part, when I run "named -u named -t /var/named/chroot -g" everything works fine, but when I run "service named start" it fails and it says Permission denied. o_O weird huh? Any ideas?

Thanks,
Brandon
 
Old 08-31-2005, 12:58 AM   #2
aznluvsmc
Member
 
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184

Rep: Reputation: 30
Is your named process chrooted? If so, you may not following the correct path to the named.pid file. What distro are you using?
 
Old 08-31-2005, 01:04 AM   #3
KasperLotus
LQ Newbie
 
Registered: Aug 2005
Distribution: Fedora Core 6
Posts: 21

Original Poster
Rep: Reputation: 15
My bind is chrooted and the path I have to the named.pid file is (absolute path) /var/named/chroot/var/run/named.pid I've tried many other paths and they all give the same error. I'm running Fedora Core 4.

EDIT: Another problem I just rememberd, whenever I run it in the foreground, it should still technically be running. If I make changes to the domains I am DNSing then it should update them when I restart right? I originally configured the domains with the wrong IPs so now that I've fixed it and I run it in the foreground, shouldn't a "host" command retrieve the updates instead?

EDIT2: Experimenting with dig, I discovered that my nameserver finally updated and nslookup and host said the same, but now it says that the connection was refused when I try to go to www.unnaturalfusion.com. My firewall and router are setup correctly, any ideas?

Last edited by KasperLotus; 08-31-2005 at 01:24 AM.
 
Old 08-31-2005, 05:40 AM   #4
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Are you talking about the dig query was refused? i.e. status REFUSED
Code:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46206
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
If thats the case, then I'd be willing to bet you have accidentally configured bind to refuse queries outside its authoritative zones (I can't tell from your post).

A couple of things to check:

1) Is recursion on?
2) What is the setting for "allow-query" either globally or within the zone statements?
 
Old 08-31-2005, 11:51 AM   #5
KasperLotus
LQ Newbie
 
Registered: Aug 2005
Distribution: Fedora Core 6
Posts: 21

Original Poster
Rep: Reputation: 15
How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.
 
Old 08-31-2005, 10:48 PM   #6
Darvocet
Member
 
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66

Rep: Reputation: 15
Quote:
Originally posted by KasperLotus
How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.
Usually recursion is on by default, however you can double check it by setting the

recursion on;

in the named.conf. Recursion needs to be on for local dns or for the machine to cache answers in my experience.
 
Old 09-04-2005, 11:27 PM   #7
aznluvsmc
Member
 
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184

Rep: Reputation: 30
If you were refused trying to access a website then it's most likely an setting on the web server. Double check the settings if it's your own server or contact the admin of that server to find out about the issue.
 
Old 09-05-2005, 01:54 AM   #8
Fredstar
Member
 
Registered: Jul 2004
Location: Rochester, NY
Distribution: Fedora9::FreeBSD7.1
Posts: 296

Rep: Reputation: 30
One answer chcon

for your name server.

the problem is that although named starts off as root it is still denied when it tryes to write the pid file. this is because it does not, by default, have the correct setup for the directory (this problem is that same with apache and other system run processes)

fixing this

cd /var/run/
ls -Z

should return

## I have the chmod high because i was stumped by the permisson denied, this will change

Code:
drwxrwxr-x  named    named    system_u:object_r:named_var_run_t named
However, the important part is system_u (the user) and named_var_run_t (the type) if this is not what you see the following should fix this.

Code:
chcon -u system_u -t named_var_run_t /var/run/named/
next restart bind with user named

Code:
named -u named
To make sure all went well its always good to check /var/log/messages incase something went wrong with start up or zonefiles.

for apache (2) -

basically the same thing only difference is the -t (type)

//this must be set for all directory's you wish to have apache webserver access
Code:
chcon -Rt httpd_sys_content_t /your/DocumentRoot/
just to check and make sure everything works ok

Code:
chcon -Z
should return

Code:
drwxr-xr-x  your_user     its_group system_u:object_r:httpd_sys_content_t YOUR-DOCUMENT-ROOT
Note that if the user is not system_u then you should change it , and all sub-direcotrys with
Code:
chcon -Ru system_u /your/DocumentRoot


hope this helps!!

edited to disable smiles

Last edited by Fredstar; 09-05-2005 at 01:59 AM.
 
Old 09-05-2005, 08:40 PM   #9
KasperLotus
LQ Newbie
 
Registered: Aug 2005
Distribution: Fedora Core 6
Posts: 21

Original Poster
Rep: Reputation: 15
After the chcon command on several directories which were problematic, I ran "service named start" and got this error in the log file. It failed to start.

audit(1125967391.931:21): avc: denied { write } for pid=2967 comm="named" name=named dev=hda1 ino=613281 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir

Apparently, root is still the user, but when I run ls -Z it appears that system_u is the user....o_O

edited to disable smilies
 
Old 09-06-2005, 10:16 PM   #10
Fredstar
Member
 
Registered: Jul 2004
Location: Rochester, NY
Distribution: Fedora9::FreeBSD7.1
Posts: 296

Rep: Reputation: 30
Odd..

Did you make sure to set the type correctly?

Cause that was the big problem mine had when it wasn't running.
 
Old 09-07-2005, 01:20 AM   #11
KasperLotus
LQ Newbie
 
Registered: Aug 2005
Distribution: Fedora Core 6
Posts: 21

Original Poster
Rep: Reputation: 15
Yeah, I made sure of that. I actually got it working by turning off the SELinux protection for the name server daemon and voila, it ran without an error. Thanks for all your help though.

Cheers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can't execute c++ binaries, "permission denied"... even though permission is 777 SerfurJ Programming 14 02-20-2009 05:50 AM
GNOME login - bind: Permission denied Fle>< Linux - Software 7 11-07-2005 12:11 PM
BIND 9 Permission denied when chmod is 777 o_O KasperLotus Linux - Software 0 08-29-2005 12:42 AM
Bind 9 - trasfer zones - permission denied ddaas Linux - Security 1 02-01-2005 10:28 AM
chmod : permission denied onebyone Linux - Software 4 01-27-2004 03:29 PM


All times are GMT -5. The time now is 04:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration